csc375/cscm75 logic for computer science

CSC375/CSCM75

Logic for Computer Science

Ulrich Berger

Department of Computer ScienceSwansea University

Fall 2017

[email protected]

http://www.cs.swan.ac.uk/∼csulrich/

tel 513380, fax 295708, room 306, Faraday Tower

1 Introduction

The aim of this course is to give the student a working knowledge in logic and itsapplications in Computer Science. Rather than trying to cover logic in its full breadth,which, given the diversity and complexity of the subject, would be an impossible taskfor a one-semester course, we will focus on the most fundamental concepts whichevery computer scientists should be familiar with, be it as a practitioner in industryor as a researcher at university. Although the selection of topics reflects to someextent my personal view and taste of logic, I will aim at a balanced presentation thatalso takes into account aspects of logic are not so close to my own research interests.

Throughout the course I will emphasize that logic is something one does : one modelsa computing system, specifies a data type or a program, checks or proves that asystem satisfies a certain property. We will do a lot of exercises where these logicalactivities will be trained, mostly on the blackboard or with pencil and paper, andoccasionally using the computer. The aim is to provide the student with active logicskills to solve computing problems.

1

December 5, 2017 CSC375/CSCM75 Logic for Computer Science 2

Besides its practical applications we will also look into the historical developmentof logic. What were the main philosophical and mathematical questions that led tomodern logic as we know it today? We will see that these questions and their answersdid shape not only logic, but also large parts of Computer Science.

The main prerequisites for this course are curiosity and a good appetite for solvingproblems . No prior knowledge of logic is required. However, I take it for grantedthat the student is able to digest formal definitions of syntactic entities such as termsor formulas. For a Computer Science student, who is familiar with formal syntacticobjects such as computer programs, this will not be a problem at all.

“Logic for Computer Science” is a stand-alone course, but it is also intended to sup-port other Computer Science modules offered, in particular the modules on EmbeddedSystems, High Integrity Systems, Software Testing, Big Data and Machine Learning,and Modeling and Verification Techniques. Our course does not follow a particulartextbook, but it will use material from several books and lectures on logic. Some ofthe main sources are:

[1] D van Dalen, Logic and Structure, 3rd edition, Springer, 1994.

[2] J H Gallier, Logic for Computer Science, John Wiley & Sons, 1987.

[3] Handbook of Logic in Computer Science, Vol. 1-6, S Abramsky, D MGabbay, T S E Maibaum, eds, OUP, 1994.

[4] J R Shoenfield, Mathematical Logic, Addison-Wesley, 1967.

[5] D B Plummer, J Barwise, J Etchemendy, Tarski’s World, CSLI LectureNotes, 2008.

[6] U Schoening, Logic for Computer Science, Birkhauser, 1989.

[7] A S Troelstra, D van Dalen, Constructivism in Mathematics, Vol. I,North-Holland, 1988.

[8] D Velleman, How to Prove It, 2nd edition, CUP, 1994.

[9] B, Programming with Abstract Data Types, Lecture Notes, Swansea Uni-versity, 2009.

[10] Michael Huth, Mark Ryan, Logic in Computer Science, Cambridge Uni-versity Press, 2004.

These are preliminary course notes which are being developed as the course progresses.I will be grateful for reporting to me any errors or suggestions for improvements. Forstudents seriously interested in logic I recommend to study in addition the sourceslisted below as well as further literature on logic which will be recommended duringthe course.


2 Propositional Logic

George Boole (1815 - 1864)English Mathematician, Philosopher and Logician

Propositional Logic is the logic of atomic propositions that are combined by logicalconnectives such as “and”, “or”, “not”, “implies”.

Here is an example taken from [2]. Consider the following propositions

T “John is a teacher”,

R “John is rich”,

S “John is a rock singer”.

We call T , R, S, atomic propositions. Now consider the following statements:

• John is a teacher.

• It is not the case that John is a teacher and John is rich.

• If John is a rock singer then John is rich.

We wish to show that the above assumptions imply

It is not the case that John is a rock singer.

Using the abbreviations and parentheses to disambiguate the statements (in particularthe second assumption!) this amounts to showing that the following statement holds:


(∗) (T and not(T and R) and (S implies R)) implies not(S)

holds. To keep the notation of statements short we first introduce some commonsymbols for the logical connectives:

∧ for “and”→ for “implies”¬ for “not”

Now the statement we wish to prove can be written as follows:

(∗) (T ∧ ¬(T ∧R) ∧ (S → R))→ ¬S

Without worrying at the moment too much about what it precisely means for a state-ment to “hold” we can give a proof of our statement using common sense reasoning:

To prove (∗) we assume that the premises, T , ¬(T ∧R) and S → R are all true.

We must show that the conclusion, ¬S, is true, that is, S is false. In other words, wemust show that assuming S leads to a contradiction.

Hence, we assume S, aiming for a contradiction.

Since we assumed S and we assumed (S → R) we know that R holds. Hence in fact(T ∧R) holds since we assumed T . But this contradicts the assumption ¬(T ∧R).

It is possible to make this kind of reasoning completely precise and formal. Moreover,there are computer systems carrying out the reasoning automatically. We will explorethis possibility later in the course.

Yet, there is another, completely different method of finding out that the statement(∗) holds: Since we know nothing about the atomic propositions T , R, S, other thanthat they are either true or false, we can simply try all possible ways of assigning“true” or “false” to T , R, S and check that statement (∗) is true in all cases. It israther obvious that this method can be automatised as well.

Note that the method of checking all assignments relies on the assumption that theatomic propositions involved are completely independent of each other and that itonly matters whether they are true or false, but not what they actually “mean”. Inother words, in propositional logic atomic propositions are viewed as “black boxes”whose internal structure is invisible.

To highlight this point consider the propositions

A := it is raining

B := the street is wet


Common sense tells us that the statement A→ B holds, but there is no way findingthis out using a logical proof or the assignment method. One can say that thestatement A → B holds, however not for reasons of propositional logic, but forreasons having to do with the meaning of A and B.

On the other hand our proof above was purely logical. It did not depend on themeanings of the atomic statements T , R and S.

2.1 The three elements of logic

Although our example of teacher John is very simple, it suffices to discern threefundamental elements of logic:

Syntax The expression (∗) (T ∧ ¬(T ∧ R) ∧ (S → R)) → ¬S is an example of aformula, that is, a formal syntactic representation of a statement. In a given logic itwill always be precisely defined which expressions are wellformed, that is, syntacticallycorrect, formulas. Different logics may have different formulas. In Computer Science,formulas are used to specify computer programs, processes, etc., that is, to preciselydescribe their properties.

Semantics Given a formula, the question arises what is its semantics, that is,meaning, or, more specifically, what does it mean for a formula to be true? Forexample, looking at the formula ¬(T ∧R) we might say that we cannot determine itstruth unless we know whether T and R are true. This means that we can determinethe truth of this formula only with respect to a certain assignment of truth values.Such an assignment is a special case of a structure, also called model, or world. Insemantics one often studies structures and the question whether a formula is true in astructure. However, looking at formula (∗) we might say that it is true irrespectivelyof the model. One also says (∗) is valid, or logically true.

Proof How can we find out whether a formula is true? This question can be askedwith respect to a given model, if one wants to know whether the formula holds in thegiven model. But one can also ask whether the formula is true in all models, that is,whether it is logically true? Are there mechanisable, or even automatisable methodsto prove that a formula is true? In Computer Science, a lot of research effort is spenton developing systems that can automatically or semi-automatically prove formulasor construct models where a formula is false. Many of these systems are already inuse to improve the quality and dependability of safety critical computer applications.

All forms of logic are essentially concerned with the study of these three elements:syntax, semantics, proof. They will also be the guiding principles of this logic course.


2.2 Syntax of propositional logic

We assume we are given an infinite sequence P1, P2, . . . of atomic propositions.

2.2.1 Propositional formula

The set of propositional formulas is defined inductively as follows.

(i) Every atomic proposition is a propositional formula.

(ii) > and ⊥ are propositional formulas.

(iii) If A is a propositional formula, then ¬A is a propositional formula .

(iv) If A and B are propositional formulas, then (A ∧ B), (A ∨ B), and (A → B)are propositional formulas.

Some comments regarding:

• The phrase “defined inductively” used above means that propositional formulasare exactly those expressions that can be generated by the rules (i) - (iv).

• Atomic propositions are also called propositional variables (because, as we willsee, their truth value may vary).

• The formulas > and ⊥ represent the truth values “true” and “false”. These arealso often denoted by the numbers 1 and 0.

• Atomic propositions as well as > and ⊥ are called basic formulas. All otherformulas are called composite formulas.

• The formula ¬A is called the negation of A, pronounced “not A”. Some text-books use the notation ∼ A instead.

• The formula (A∧B) is called conjunction of A and G, pronounced “A and B”.

• The formula (A ∨B) is called disjunction of A and B, pronounced “A or B”.

• A formula of the form (A → B) is called implication, pronounced “A impliesB”. In some textbooks implication is written A ⊃ B.

• It is often convenient to introduce the abbreviation

(A↔ B) := (A→ B) ∧ (A→ B)

A formula of the form (A↔ B) is called equivalence, pronounced “A is equiva-lent to B”. In many textbooks this is written A ≡ B.


• The symbols ¬,∧,∨,→ are called “propositional connectives” (or “logical con-nectives”).

Since in this and the following chapters we will only consider propositional formulasand no other kind of formulas we will allow ourselves to say “formula” instead of“propositional formula”.

Definition 2.2.1 maybe equivalently formulated as a context free grammar in Backus-Naur form:

< formula > ::= < atomic proposition >

| >| ⊥| ¬ < formula >

| (< formula > ∧ < formula >)

| (< formula > ∨ < formula >)

| (< formula > → < formula >)

2.2.2 Examples of formulas

Let A,B,C be atomic propositions.

(a) (A ∨ ¬A)

(b) (A ∧B) ∨ C

(c) ((A ∨B)→ (A ∧B))

(d) (((A ∨B)→ (A ∧B))→ ⊥)

(e) ((A ∨B)→ ((A ∧B)→ ⊥))

These examples, in particular (d) and (e), demonstrate that a proliferation of paren-theses can make formulas hard to read. In order to improve readability we will makeuse of the following conventions:

• Outermost parentheses are omitted. For example, we write ¬A ∧ B instead of(¬A ∧B).

• Implication is the least binding operator. For example, we write A∧B → B∨Afor (A ∧B)→ (B ∨ A).


• Implication is assumed to associate to the right. This means, for example, thatwe write A→ B → C → D for A→ (B → (C → D)).

• Conjunction and disjunction are assumed to associate to the left. For example,we write A ∧B ∧ C instead of (A ∧B) ∧ C.

Warnings: We do not assume that ∧ binds stronger than ∨, and, for example, inthe formula (A → B) → C the parentheses may not be omitted. Furthermore, theformulas ¬A ∧ B and ¬(A ∧ B) are not the same. In order to distinguish the lattertwo formulas more clearly we may occasionally enclose a negation in (redundant)parentheses, as, for example, in (¬A) ∧B.

2.2.3 Exercise

(a) Write down the formulas of Example 2.2.2 omitting as many parentheses aspossible according to the conventions above.

(b) Add to the formula A ∧B → A ∨ C → D all omitted parentheses.

(c) Is the expression A ∧B ∨ C a correct denotation of a formula?

2.2.4 Exercise

Write down the formula of the initial exercise about John the teacher, with maximaland with minimal parentheses.

2.3 Induction on formulas

The way formulas are defined in 2.2.1 is an example of an inductive definition. Insteadof going into the theory of this kind of definition I try to give the intuition. The clauses(i) - (iv) are to be viewed as a generation process : All expression, and only those,which can be generated by a finite number of applications of the clauses are formulas.

Associated with this inductive definition is a principle of proof by induction on formu-las . It says that in order to prove that a certain property P (A) holds for all formulasA it is enough to prove

• Induction base: P (A) holds if A is a basic formula.

• Induction step: P holds for a composite formula provided P holds for its parts.For example when proving P (A→ B) one may assume (as induction hypothesis)that P (A) and P (B) hold (similarly for the other logical connectives).


2.3.1 Example of a proof by induction on formulas

Lemma 1. Every formula has as many opening parentheses as closing parentheses(assuming all parentheses are written).

Proof. By induction on formulas. We set

P (A) := A has as many opening parentheses as closing parentheses

Induction base: Clearly P holds for basic formulas, since these have no parenthesesat all.

Induction step: Consider a composite formula, for example, (A ∧ B). By inductionhypothesis A and B both satisfy P . Hence clearly (A ∧ B) satisfies P as well sinceexactly on opening and one closing parentheses were added. For the other logicalconnectives the argument is similar.

This completes the proof of the lemma.

Induction of formulas is very similar to the well-known induction on natural numberswhich is a proof principle saying that in order to prove a property P (n) for all naturalnumber n it suffices to prove

• the base case, P (0),

• and the step, P (n+ 1), under the assumption that P (n) (induction hypothesis)holds.

The reason why induction on natural numbers is correct is the same as for formulas:natural numbers are inductively defined by the clauses

(i) 0 is a natural number.

(ii) If n is a natural number, then n+ 1 is a natural number.

2.4 Recursion on formulas

In addition to the fact that all formulas are generated by the clauses (i)-(iv) of Defi-nition 2.2.1 it is true that this generation is non-ambiguous. That is, for each formulathere is only one way to generate it. In other words each string representing a formulacan be parsed in exactly one way. One says that formulas are freely generated by theclauses (i)-(iv).

Associated with the free generation of formulas is a principle of definition by recursionon formulas. This principle says that in order to define a function f on all formulasit is enough to


• Base case: define f(A) for all basic formulas A,

• Recursive case: define f for a composite formula using the definition of forits parts. For example when defining f(A→ B) one may recursively call f(A)and f(B).

2.4.1 Example of a function defined by recursion on formulas

We define the depth of a formula as follows

• depth(A) = 0 for every basic formula.

• depth(¬A) = depth(A) + 1.

• depth(A �B) = max(depth(A), depth(B)) + 1 for � ∈ {∧,∨,→}.

We also let con(A) be the number of occurrences of logical connectives (∧,∨,→,¬)in the formula A.

Lemma 2. con(A) < 2depth(A).

Proof. By induction on formulas.

Induction base: If A is a basic formula, then con(A) = 0 < 1 = 20 = 2depth(A).

Induction step: We have to consider composite formulas.

¬A: By induction hypothesis (i.h.) we have con(A) < 2depth(A). Therefore

con(¬A) = con(A) + 1i.h.< 2depth(A) + 1

≤ 2 ∗ 2depth(A)

= 2depth(A)+1

= 2depth(¬A)

A �B where � ∈ {∧,∨,→}: By induction hypothesis we have con(A) < 2depth(A) andcon(B) < 2depth(B).

con(A �B) = con(A) + con(B) + 1

< con(A) + 1 + con(B) + 1i.h.

≤ 2depth(A) + 2depth(B)

≤ 2 ∗ 2max(depth(A),depth(B))

= 2depth(A�B)


This completes the proof.

Natural numbers are also freely generated, namely from 0 and the successor operation.Consequently, there is a corresponding recursion principle which is called primitiverecursion: in order to define a function f on natural numbers it is enough to define

• f(0) and

• f(n+ 1) with a possible recursive call to f(n).

Induction and recursion principles such as induction on formulas and natural numbers,recursion on formulas and primitive recursion occur very often in computer scienceand are of fundamental importance. It is therefore essential to be familiar with themand to be able to apply them. In fact, we will frequently use them in this course.These principles are instances of two general principles which are valid for all freelygenerated structures: Structural Induction and Structural recursion (see, for examplethe preliminary chapter of [2]).

Recursion on formulas vs. general recursion In most programming languagesgeneral recursion is allowed. This means that when defining a function f , a valuef(x) may be defined making recursive calls to f(y) where y is arbitrary.

Clearly, general recursion captures recursion on formulas, primitive recursion and, ingeneral, structural recursion. So why bother with restricted forms of recursion?

The reason is that recursion on formulas (and more generally structural recursion)guarantees that the recursively defined function will terminate for all inputs, whilewith general recursion this is of course not the case. Moreover, it can be decidedeasily whether a given recursive definition is structural recursive or not, while thequestion whether or not a general recursive program terminates is undecidable, dueto the undecidability of the Halting Problem.

2.4.2 Exercise

Prove depth(A) ≤ con(A).

2.4.3 Exercise

Give a definition of con(A) by recursion on formulas.


2.4.4 Exercise

Compute depth(A) and con(A) for the following formulas A:

(a) (A ∧B) ∨ (A ∧ ¬B))

(b) ((A→ B)→ A)→ A

2.4.5 Exercise

Let atom(A) be the number of occurrences of atomic formulas of A. Give a definitionof atom(A) by recursion on formulas.

2.4.6 Exercise

Prove atom(A) ≤ 2 · con(A) + 1.

2.4.7 Exercise

Define a Haskell data type of propositional formulas.

2.4.8 Exercise

Implement the functions depth(A), con(A) and atom(A) in Haskell.

2.5 Semantics of propositional logic

The semantics (= meaning) of a formula A is a truth value: either 0 (for “false”) or1 (for “true”). The truth values 0 and 1 are also called boolean values. Of course,the meaning of A depends on the meaning of the atomic propositions occurring inA. Once the meaning of these atomic propositions is fixed, the meaning of A can becomputed according to the following truth tables of the propositional connectives.

>1

⊥0

x ¬x0 11 0


x y x ∧ y0 0 00 1 01 0 01 1 1

x y x ∨ y0 0 00 1 11 0 11 1 1

x y x→ y0 0 10 1 11 0 01 1 1

These tables are to be understood as shorthand notations for the definitions of Booleanfunctions associated with the propositional connectives:

¬ : {0, 1} → {0, 1}, ∧,∨,→: {0, 1}2 → {0, 1}

For example,

0→ 0 = 1

0→ 1 = 1

1→ 0 = 0

1→ 1 = 1

2.5.1 Exercise (from aptitude test for Foundation Degree)

There are four cards on the table:

• Card 1 is from the red deck

• Card 2 is an Ace of Spade

• Card 3 is from the blue deck

• Card 4 is a Three of Heart

Claim: Every Ace amongst these four cards comes from the blue deck.

Which cards need be turned over in order to be certain that the claim is true?

Solution: Let A be the statement “the card is an Ace” and B be the statement “thecard is from the blue deck”.

The Claim states that the formula A → B holds for all four cards. Therefore, weneed to turn over those cards for which this formula might be false.

According to the truth table of implication, the formula A→ B is false if and only ifA is true and B is false, that is, if the card is an Ace but not from the blue deck.

Now check for which of the cards this might be the case.


In the following we fix a finite set of atomic propositions

A := {P1, . . . , Pn}

and consider only formulas containing atomic propositions from A.

2.5.2 Definition (Assignment)

An assignment is a mapping α : A → {0, 1}. Hence, α assigns to each atomicproposition Pi ∈ A a truth value α(Pi) ∈ {0, 1}. An assignment α can also be viewedas an array of boolean values (b1, . . . , bn) where α(Pi) = bi for i ∈ {1, . . . , n}.

For example, the array (1, 0, 1) denotes the assignment α with α(P1) = 1, α(P2) = 0and α(P3) = 1.

2.5.3 Definition (truth value of a formula)

We define the truth value of A under an assignment α

[[A]]α ∈ {0, 1}

by recursion on formulas:

[[Pi]]α = α(Pi)

[[>]]α = 1

[[⊥]]α = 0

[[¬A]]α = ¬([[A]]α)

[[A �G]]α = [[A]]α � [[G]]α for � ∈ {∧,∨,→}

2.5.4 Definition (substitution)

Let A,B be formulas and P an atomic proposition. By A[P := B] we denote theformula obtained by substituting (that is, replacing) in A every occurrence of P byB.

For example, if A = P → P and B = C ∧ P , then A[P := B] = C ∧ P → C ∧ P .


2.5.5 Exercise

Define A[P := B] by recursion on the formula A.

Solution.

P [P := B] = B

Q[P := B] = Q if Q is an atomic proposition different from P

>[P := B] = >⊥[P := B] = ⊥

(¬A)[P := B] = ¬(A[P := B])

(A � A′)[P := B] = A[P := B] � A′[P := B] for � ∈ {∧,∨,→}

2.5.6 Substitution Theorem

Let A,B be formulas and P an atomic proposition. For every assignment α we have

[[A[P := B]]]α = [[A]]α′

where α′ is the assignment that is identical to α except that α′(P ) := [[B]]α.

Proof. By induction on formulas. We refer to the recursive definition of substitutiongiven in the solution to Exercise 2.5.5.

[[P [P := B]]]α = [[B]]α = α′(P ) = [[P ]]α′

If A is an atomic proposition different from P , then

[[A[P := B]]]α = [[A]]α = α(A) = α′(A) = [[A]]α′

[[¬A[P := B]]]α = [[¬A[P := B]]]α by definition of substitution

= ¬([[A[P := B]]]α) by definition of the value of a formula

= ¬([[A]]α′) by induction hypothesis

= [[¬A]]α′ by definition of the truth value of a formula

The proof for the remaining cases (conjunction, disjunction, . . . ) is similar.


Remark. The assignment α′ in the Substitution Theorem is often denoted by α[P :=b] where b := [[B]]α ∈ {0, 1}. In general the “updated” assignment α[P := b] is definedas

α[P := b](P ) := b

α[P := b](Q) := α(Q) if Q is an atomic proposition different from P

With this notation the Substitution Theorem reads

[[A[P := B]]]α = [[A]](α[P := [[B]]α])

Remark. The Substitution Theorem says that the value of a formula which containsa formula B as a subformula only depends on the value of B but not on its syntacticform. The principle expressed by this theorem is called

Referential Transparency

Referential Transparency also holds for arithmetic expressions, derivations, types,and many other types of syntax with a well defined semantics.

Referential Transparency is essential for any kind of reasoning about syntax andsemantics because it allows to reason in a modular way. For example, in a formulaA we may replace a subformula B by an equivalent formula B′ without changing themeaning of A (this is shown in the Equivalence Theorem 2.6.8 below; what it meansfor two formulas to be equivalent is defined in 2.6.4).

Referential Transparency does hold for functional programs, but generally not forprograms written in an imperative language such as C or Java. The reason is thatthe Substitution Theorem may fail if the substituted program performs side effects.Therefore, reasoning about imperative programs is more difficult than reasoning aboutfunctional programs.

2.6 Logic gates and equivalence

In Sect. 2.5 we defined the meaning of the propositional connectives as certain booleanfunctions ¬ : {0, 1} → {0, 1}, ∧,∨,→: {0, 1}2 → {0, 1}. Now we study booleanfunctions in general.

2.6.1 Definition (logic gate, boolean function)

A logic gate or called boolean function or switch) of n arguments is a function

f : {0, 1}n → {0, 1}


2.6.2 Exercise

Obviously, there exist only finitely many logic gates of n arguments. How many?

2.6.3 Definition (logic gate defined by a formula)

Since an assignment α can be viewed as an array of boolean values

α = (α(P0), . . . , α(Pn−1)) ∈ {0, 1}n

the value of a formula A can also be viewed as a boolean function or logic gate

[[A]] : {0, 1}n → {0, 1}, α 7→ [[A]]α

2.6.4 Definition (equivalence)

Usually, one is only interested in the logic gate a formula defines. Therefore, twoformulas A, B are called equivalent, in symbols, A ≡ B if they define the same logicgate, that is, [[A]]α = [[B]]α for all assignments α.

2.6.5 Exercise

Let A, B be atomic formulas. Which of the following formulas are equivalent?

(a) A→ ¬B

(b) ¬(B ∧ A)

(c) ¬B → A


Here is a list of important equivalences:

A ∧B ≡ B ∧ A(A ∧B) ∧ C ≡ A ∧ (B ∧ C)

A ∨B ≡ B ∨ A(A ∨B) ∨ C ≡ A ∨ (B ∨ C)

A ∧ (B ∨ C) ≡ (A ∧B) ∨ (A ∧ C)

A ∨ (B ∧ C) ≡ (A ∨B) ∧ (A ∨ C)

¬(A ∧B) ≡ ¬A ∨ ¬B¬(A ∨B) ≡ ¬A ∧ ¬B¬(A→ B) ≡ A ∧ ¬B

¬¬A ≡ A

¬A ≡ A→ ⊥A→ B ≡ ¬A ∨BA ∧ ¬A ≡ ⊥A ∨ ¬A ≡ >

(A ∧B)→ C ≡ A→ (B → C)

(A ∨B)→ C ≡ (A→ C) ∧ (B → C)

(¬A)→ B ≡ (¬B)→ A

2.6.6 Exercise

Verify that the equivalences above do indeed hold by checking in each case that theformula on left hand side and the formula on the right hand side have the same truthvalue for all assignments.

2.6.7 Exercise

For each of the following formulas find an equivalent one which is shorter:

(a) A ∧ >

(b) A ∧ ⊥

(c) A ∨ >

(d) A ∨ ⊥


(e) A→ A

(f) A→ >

(g) > → A

(h) ⊥ → A

(i) ¬A→ B

(j) A ∨ ¬A

(k) A ∧ ¬A

(l) ((A→ B)→ A)→ A

2.6.8 Equivalence Theorem

Let A,A′, B,B′ be formulas and P an atomic proposition.

If A ≡ A′ and B ≡ B′, then A[P := B] ≡ A′[P := B′].

Proof. This is an easy consequence of the Substitution Theorem (detailed proof leftas an exercise for the lecture).

Remark. Since there are only finitely many logic gates of n arguments, but infinitelymany formulas with n atomic propositions, each logic gate can be defined by many(in fact infinitely many) formulas. Finding for a given logic gate a shortest formuladefining it is an important and computationally difficult problem. We will later lookat some of the most important approaches to this problem.

2.7 Satisfiability and logical validity

2.7.1 Definition (satisfaction, model, tautology)

If [[A]]α = 1 we say α satisfies A, or α is a model of A, in symbols

α |= A

A formula A is called satisfiable if it has a model, otherwise it is unsatisfiable.

The satisfiability problem is the problem of deciding whether a formula is satisfiable.

A formula A is called a tautology or logically valid if it is satisfied by all assignments,that is, [[A]]α = 1 for all assignments α.


Remarks.

• Speaking in terms of logic gates, for a formula A to be logically valid meansthat the logic gate A it defines is constant 1. This is also the same as sayingthat A ≡ >.

• Similarly, for A to be a unsatisfiable means that the logic gate A is constant 0or that A ≡ ⊥.

• In particular, all tautologies are equivalent and all unsatisfiable formulas areequivalent.

• Formulas A that are neither tautologies nor unsatisfiable (which is the case formost formulas) define a logic gate A which is not constant, that is, there areassignments α, α′ such that [[A]]α = 1 and [[A]]α′ = 0.

2.7.2 Exercise

Let A, B be atomic formulas. Which of the following formulas are satisfiable, unsat-isfiable, tautologies?

(a) A ∨ ¬A

(b) A ∧ ¬A

(c) B → ¬A

2.7.3 Exercise

Is the formula of the “John the teacher” example a tautology?

2.7.4 Theorem

A formula A is a tautology if and only if ¬A is unsatisfiable.

Proof. The proof has two parts.

1. Assume A is a tautology. We show that ¬A is unsatisfiable. Let α be an assign-ment. We must show that α is not a model of ¬A, that is, [[¬A]]α = 0:

[[¬A]]α = ¬([[A]]α) by definition of the value of a negated formula

= ¬(1) because A is a tautology

= 0


2. Assume ¬A is unsatisfiable. We show that A is a tautology. Let α be an assign-ment. We must show that α is a model of A, that is, [[A]]α = 1.

Since ¬(¬(b)) = b for all b ∈ {0, 1} we have

[[A]]α = ¬(¬([[A]]α))

= ¬([[¬A]]α) by definition of the value of a negated formula

= ¬(0) because ¬A is unsatisfiable

= 1

2.7.5 Theorem (closure of tautologies under arbitrary substitution)

Let A and B be formulas and P an atomic proposition.

If A is a tautology, then A[P := B] is a tautology.

Proof. This is another easy consequence of the Substitution Theorem. The proof isleft as an exercise for the student.

2.7.6 Exercise

(a) Does the converse of Theorem 2.7.5 hold? That is, is the following true?

If A[P := B] is a tautology, then A is a tautology.

(b) Does Theorem 2.7.5 still hold if “is a tautology” is replaced by “is satisfiable”?

(c) Does Theorem 2.7.5 still hold if “is a tautology” is replaced by “is unsatisfiable”?

Justify your answers.


2.7.7 Exercise

Brown, Jones and Smith are suspected of Tax evasion. They testify under oath asfollows:

Brown: Jones is guilty and Smith is innocent.

Jones: If Brown is guilty, then so is Smith.

Smith: I am innocent, but at least one of the others is guilty.

(a) Assuming everybody told the truth, who is innocent/guilty?

(b) Assuming the innocent told the truth and the guilty lied, who is innocent/guilty?

First, try to find the answers by informal reasoning.

Then, use the atomic propositions B (Brown is guilty), J (Jones is guilty), S (Smithis guilty), to write the statements by Brown, Jones and Smith as propositional for-mulas and confirm your informal answers by checking the logic gates defined by thesestatements.

Additional (easy) questions:

(c) Is it possible that everybody told the truth?

(d) Is it possible that everybody lied?


3 Normal forms

In this chapter we introduce special classes of “normal forms” of formulas whichare important in many applications of logic in Computer Science. Some of theseclasses are still rich enough to define all logic gates, some are not. We will alsolook at compact representations of logic gates that are frequently used in practicalapplications.

3.1 Conjunctive Normal Form (CNF)

3.1.1 Definition (Literal)

A literal is an atomic proposition or the negation of an atomic proposition. Hence aliteral is of the form A (positive literal) or of the form ¬A (negative literal) where Ais an atomic proposition. We denote literals by L,L1, . . ..

3.1.2 Definition (Clause)

A clause is a disjunction of literals, that is, it is a formula of the form

L1 ∨ . . . ∨ Lnwhere each Li is a literal. We denote clauses by C,C1, . . .. In this definition n = 1 ispermitted. Hence every literal is also a clause.

3.1.3 Definition (Conjunctive Normal Form)

A formula is in conjunctive normal form, abbreviated CNF, if it is of the form

C1 ∧ . . . ∧ Cnwhere each Ci is a clause. The case n = 1 is permitted. Therefore, every clause isalso a CNF.

3.1.4 Examples


The formulas A and ¬A are literals.

The formula ¬A ∨ ¬B ∨ C is a clause.

The formula A ∧ (¬A ∨B ∨ C) ∧ (B ∨ ¬C) is a CNF.


3.1.5 Exercise

Let A,B,C be atomic propositions. Which of the following formulas are CNFs?

(a) ¬A

(b) B ∨ ¬C

(c) B ∧ ¬C

(d) A ∨ (B ∧ C)

(e) ¬(A ∨B)

(f) ¬A ∧ (B ∨ C)

3.1.6 Exercise (pigeon hole principle)

We assume that A1, A2, B1, B2, C1, C2 are atomic propositions. Consider the followingCNFs:

(A1 ∨ A2) ∧ (B1 ∨B2) ∧ (¬A1 ∨ ¬B1) ∧ (¬A2 ∨ ¬B2)

(A1 ∨ A2) ∧ (B1 ∨B2) ∧ (C1 ∨ C2) ∧(¬A1 ∨ ¬B1) ∧ (¬A1 ∨ ¬C1) ∧ (¬B1 ∨ ¬C1) ∧(¬A2 ∨ ¬B2) ∧ (¬A2 ∨ ¬C2) ∧ (¬B2 ∨ ¬C2)

Which is satisfiable?

Hint: Think of of Ai as expressing that pigeon A sits in hole i, similarly for Bi, Ci.Then the first formula expresses that each of the two pigeons A,B sits in one of thetwo holes, but no two pigeons sit in the same hole.

Similarly, the second formula expresses that the three pigeons A,B,C are sitting intwo holes with no two pigeons sitting in the same hole.

3.1.7 Exercise

Write down the pigeon hole formula for 2 pigeons and 3 holes.


3.2 Computational complexity of satisfiability for CNFs

A formula is said to be in n-CNF, where n is a natural number, if it is in CNF andevery clause contains at most n literals. For example the pigeon hole formulas aboveare in 2-CNF. In general, the pigeon hole formula for n pigeons and m holes is inm-CNF.

3.2.1 Theorem (Stephen Cook, 1971)

SAT, the satisfiability problem for formulas in CNF, is NP-complete (S. A. Cook,The Complexity of Theorem-Proving Procedures, Proc. 3rd ACM Symp. Theory ofComputing, May 1971).

NP-completeness still hold for 3-SAT, the satisfiability problem restricted to formu-las in 3-CNF.

On the other hand, 2-SAT, the satisfiability problem for formulas in 2-CNF, is solv-able in polynomial time (for those interested in complexity theory: it is NL-complete,that is, complete for all non-deterministic log-space problems).

A good introduction to complexity classes (such as NP, NL and many others) aswell is given on the Wikipedia page Complexity class. A standard textbook is Com-putational complexity by C. H. Papadimitriou, Addison-Wesley 1994 (available at theLibrary).

The satisfiability problem for CNF has countless applications in Computer Scienceand bears many open problems. For example it is still unknown whether satisfiabilityof CNFs is decidable in polynomial time. It is widely believed that this is not thecase. If it were the case, then the complexity classes P and NP would coincide(Millennium Problem P versus NP).

3.3 Horn Formulas

Another important class of formulas are Horn Formulas. These are formulas in CNFwhere each clause is a Horn clause, that is, a clause containing at most one positiveliteral. Hence, a Horn Clause has the form

¬A1 ∨ . . . ∨ ¬An ∨B or ¬A1 ∨ . . . ∨ ¬An

Horn Clauses can be written equivalently using conjunction and implication:

A1 ∧ . . . ∧ An → B or A1 ∧ . . . ∧ An → ⊥


3.3.1 Theorem

HORNSAT, the satisfiability problem for Horn Formulas, can be solved in polyno-mial time, in fact it is P-complete.

Horn formulas are the basis of Logic Programming a style of programming that is usedin Computational Linguistics, Expert Systems, Deductive Data Bases, and ArtificialIntelligence and machine learning. The dominant logic programming language isProlog (see, for example the textbook From logic programming to Prolog by K. R. Apt,Prentice Hall 1996, available at the library).

3.4 Disjunctive Normal Form (DNF)

By swapping conjunction (∧) and disjunction (∨) one obtains a normal form dual toCNF.

3.4.1 Definition (Disjunctive Normal Form)

A disjunctive normal form, abbreviated DNF, is a formula of the form

D1 ∨ . . . ∨Dn

where each Di is a conjunctive clause, that is, a conjunction of literals.

3.4.2 Example

Let A,B,C be atomic propositions. The following formula is a DNF:

A ∨ (B ∧ ¬C) ∨ (¬A ∧B ∧ C)

Formulas in DNF are less frequently used. However, they have the interesting prop-erty that the satisfiability problem for them is trivial.

3.4.3 Exercise (satisfiability for DNF)

Prove that satisfiability for DNF formulas is solvable in linear time.


3.5 Expressive completeness

A class of formulas is called expressively complete, complete for short, if every logicgate can be defined by a formula in that class, that is, for every logic gate g : {0, 1}n →{0, 1} there exists a formula F in the class such that

[[F ]](x1, . . . , xn) = g(x1, . . . , xn)

for all (x1, . . . , xn) ∈ {0, 1}n.

It easy to see that CNF and DNF are complete classes of formulas, that is, they candefine every logic gate.

3.5.1 Theorem (completeness of CNF and DNF)

CNF and DNF are complete, that is, every logic gate can be defined by a formula inCNF and also by a formula in DNF.

Proof. We prove the theorem for DNF (for CNF the argument is similar and left asan exercise).

g : {0, 1}n → {0, 1} be a logic gate. We are looking for a formula F in DNF thatdefines g, that is [[F ]]α = g(α) for all assignments α. Recall that we identify the setof assignments with the set {0, 1}n of n-tuples of Boolean values by identifying anassignment α with the tuple (α(P1), . . . , α(Pn)) ∈ {0, 1}n.

Recall that there exist 2n assignments. Let α1, . . . , αk a listing of those assignmentsfor which g returns 1. That is, g(α1) = . . . = g(αk) = 1, and g(α) = 0 for all otherassignments α.

We encode each αi by a conjunctive clause Di as follows:

Di := Li,1 ∧ . . . ∧ Li,n

where Li,j := Pj if αi(Pj) = 1 and Li,j := ¬Pj if αi(Pj) = 0.

For example, if αi = (0, 1, 0), then Di = ¬P1 ∧ P2 ∧ ¬P3.

Clearly, we have for any assignment α and any j ∈ {1, . . . , n}

[[Li,j]]α = 1 ⇔ α(Pj) = αi(Pj)

Therefore,

[[Di]]α = 1 ⇔ for all j ∈ {1, . . . , n} [[Li,j]]α = 1

⇔ for all j ∈ {1, . . . , n} α(Pj) = αi(Pj)

⇔ α = αi


which means that Di does indeed properly encode αi.

Now we define the formula we are looking for by

F := D1 ∨ . . . ∨Dk

Clearly, F is in DNF. We show that F defines the logic gate g. Let α be an assignment.We have to show [[F ]]α = g(α), that is, [[F ]]α = 1⇔ g(α) = 1.

[[F ]]α = 1 ⇔ for some i ∈ {1, . . . , k} [[Di]]α = 1

⇔ for some i ∈ {1, . . . , k} α = αi

⇔ g(α) = 1

3.5.2 Example

Consider the logic gate g of three variables defined by the truth table

x y z g(x, y, z)0 0 0 00 0 1 10 1 0 00 1 1 01 0 0 11 0 1 01 1 0 01 1 1 0

There are two assignments where g returns 1: α1 := (0, 0, 1) and α2 := (1, 0, 0).Hence D1 = ¬P1 ∧ ¬P2 ∧ P3 and D2 = P1 ∧ ¬P2 ∧ ¬P3, and the formula F in DNFwhich defines g is

(¬P1 ∧ ¬P2 ∧ P3) ∨ (P1 ∧ ¬P2 ∧ ¬P3)

We call a set of logical connectives complete if the class of all formulas defined fromthem is complete. In this definition we regard the logical constants ⊥ and > asconnectives.

For example, since DNF is complete, and formulas in DNF only use the connectives∧,∨,¬, it follows, that the set {∧,∨,¬} is complete.


3.5.3 Theorem (Complete sets of connectives)

Each of the following sets of connectives is complete:

(a) {∧,¬}

(b) {∨,¬}

(c) {→,⊥}

Proof. (a) Since {∧,∨,¬} is complete it suffices to show that ∨ can be defined by ∧and ¬.

Recall that ¬¬A ≡ A and ¬(A ∨B) ≡ ¬A ∧ ¬B. It follows

A ∨B ≡ ¬¬(A ∨B) ≡ ¬(¬A ∧ ¬B)

The proof of part (b) is similar and left as an exercise.

To prove (c), it suffices, by (b), to show that ¬ and ∨ can be defined by → and ⊥.We have ¬A ≡ A→ ⊥. Furthermore, since A→ B ≡ ¬A ∨B,

A ∨B ≡ ¬¬A ∨B ≡ ¬A→ B

3.5.4 Exercise (Incomplete sets of connectives)

Show that none of the following sets of connectives is complete:

(a) {∧,∨}

(b) {∧,→}

(c) {∧,⊥}

Hint: For (a) and (b) show that the logic gate which is constant 0 is not definable.For (c) show that every formula F definable by ∧ and ⊥ defines a monotone logicgate, that is, if α ≤ α′, then [[F ]]α ≤ [[F ]]α′ where the order on assignments is definedpointwise. Use induction on formulas.


3.5.5 Exercise (Incompleteness of Horn Formulas)

Show that the class of Horn Formulas is not complete.

Hint: Show that if F is a Horn Formula and α1 and α2 are models of F (that is,[[F ]]α1 = [[F ]]α1 = 1), then the assignment α, defined by α(A) := ∧(α1(A), α2(A)), isalso a model of F . Conclude from this that the logic gate ∨ cannot be defined by aHorn Formula.

Remark . The hint above implies in particular that if a Horn Formula is satisfiable,then it has a smallest model. This fact is fundamental for Logic Programming sinceit implies that the standard proof strategy applied in Prolog is complete in the sensethat it can derive any facts that are a logical consequence of the given logic program.The notions of “logical consequence” and “proof” will be explained in detail later.

Since, as we have seen in Exercise 3.4.3, the satisfiability problem for DNF is solvablein linear time, it seems that the satisfiability problem for CNF can be efficientlysolved by translating CNF into DNF. That this translation is possible, follows fromthe completeness of DNF. However, the obvious translation derived below, which isderived from the de Morgan Law

(A ∨B) ∧ (C ∨D) ≡ (A ∧ C) ∨ (A ∧D) ∨ (B ∧ C) ∨ (B ∧D)

leads to an exponential blow up. Hence, in terms of the satisfiability problem for CNFnothing is gained.

3.5.6 Definition (Translation of CNF into DNF)

Let F = C1 ∧ . . . ∧ Cn a formula in CNF, that is, each Ci is a disjunctive clause. Tosimplify matters we assume that all Ci contain the same number m of literals (thiscan always be achieved by repeating literals). Hence

Ci = Li,1 ∨ . . . ∨ Li,m

Then the following formula G in DNF is equivalent to F :

G :=∨

α:{1,...,n}→{1,...,m}

(L1,α(1) ∧ . . . ∧ Ln,α(n))

Since there are mn functions α : {1, . . . , n} → {1, . . . ,m}, we clearly have

size(G) = O(

2size(F))


3.6 Binary Decision Diagrams

A decision tree is a tree where each internal node contains a question and the childrenof a node are the answers to the question.

A fragment of a decision tree (courtesy Univ. Tubingen)

Decision trees can be represented as special formulas using a ternary logical connectiveA → (B,C), to be read as “if A then B else C”. It can easily be defined usingimplication, conjunction and negation:

A→ (B,C) := (A→ B) ∧ (¬A→ C)

The decision tree shown in the image above can now be written as

picClear→ (sound→ (. . . , checkMB), screenBlank→ (sound→ (checkPC, . . .), . . .))

The truth table of the if-then-else connective · → (·, ·) is as follows


x y z x→ (y, z)0 0 0 00 0 1 10 1 0 00 1 1 11 0 0 01 0 1 01 1 0 11 1 1 1

3.6.1 Exercise


(a) Find a formula in CNF that is equivalent to A→ (B,C).

(b) Show that the DNF (A ∧B) ∨ (¬A ∧ C) is equivalent to A→ (B,C).

3.6.2 Definition

The set of formulas in if-then-else normal form (INF) is inductively defined as follows:

(i) ⊥ and > are in INF.

(ii) if A is an atomic proposition and F , G are in INF, then A→ (F,G) is in INF.

For example, if A,B are atomic proposition, then the formula

F := A→ (B → (>,⊥), B → (⊥,⊥))

is in INF.

3.6.3 Exercise

(a) Draw the tree for the formula F above.

(b) Find a formula in INF that is equivalent to F but shorter.

(c) Find a formula that is equivalent to F but uses only one basic logical connective


Obviously, every logic gate can be defined by a decision tree and hence by a formulain INF. The decision tree is not uniquely determined: it depends on the order of thevariables.

Decision trees given by formulas in INF may contain redundancies:

(1) Repeated variables (atomic propositions) in one branch: these can be eliminatedby replacing the subtree beginning at the lower occurrence by its left respectivelyright subtree if that lower occurrence is in the left respectively subtree of theupper occurrence of that variable.

(2) A node with two identical subtrees: Replace the node by that subtree.

(3) Identical subtrees that don’t have a common parent node: these can be avoidedby passing from a tree structure to graph structure, more precisely a directedacyclic graph (DAG).

After carrying out these simplifications one arrives at a binary decision diagram(BDD). If in addition one requires that on all paths in the dag the variables ap-pear in a fixed order one has a reduced ordered BDD (ROBDD). However, in theliterature ROBDDs are often referred to simply as BDDs.

3.6.4 Example

Consider the following decision tree:

A

0 ��

1@@@R

B

0 ��

1AAAU

B

0 ��

1AAAU

C

0 ��

1CCCW

C

0 ��

1CCCW

C

0 ��

1CCCW

C

0 ��

1CCCW

1 1 1 0 1 0 0 0

Simplification (1) does not apply since no variable occurs twice on the same path.

The leftmost subtree beginning with C has only 1s at its leaves. Hence, applyingsimplification (2), it may be replaced by the leaf 1. Similarly, the rightmost subtreebeginning with C has only 0s at its leaves. Therefore we replace it by the leaf 0.


Carrying out these simplifications we obtain:

A

0 ��

1@@@R

B

0 ��

1AAAU

B

0 ��

1AAAU

1 C

0 ��

1CCCW

C

0 ��

1CCCW

0

1 0 1 0

Since the two remaining subtrees starting with C are identical we my identify them:

A

0 ��

1@@@R

B

0 ��

1@@@R

B

0 ��

1AAAU

1 C

0 ��

1CCCW

0

1 0

Finally, we identify all leaves with the same result:

A

0 ��

1@@@R

B

0

��

1@@@R

B

0 �� 1

CCCCCCW

C0 ��)1PPPPPq

1 0


Most applications of BDDs rely on the fact that every logic gate is implemented byexactly one ROBDD when the order of variables is fixed:

3.6.5 Canonicity Theorem for BDDs

For every logic gate g of n variables and every order of the n input variables thereexists exactly one reduced ordered BDD defining g.

3.6.6 Choosing the variable ordering

The ordering of variables in a BDD is crucial. There are logic gates whose sizesof ROBDDs vary between linear and exponential, depending on the chosen order ofvariables. For example, the ROBDD of the DNF

(A1 ∧ A2) ∨ (A3 ∧ A4) ∨ . . . ∨ (A2n−1 ∧ A2n)

has 2n + 2 nodes when the variable order A1, A2, A3, A4 . . . , A2n−1, A2n is chosen.However, for the order A1, A3, . . . , A2n−1, A2, A4, . . . , A2n the ROBDD has 2n+1 nodes.

Finding the optimal variable ordering is a hard problem. More precisely, this problemis NP-hard (Sieling, 2002). Deciding whether a given order is optimal is NP-complete(Bollig/Wegener, 1996).

3.6.7 Applications of BDDs

BDDs are heavily used in CAD software, equivalence and correctness testing of digitalcircuits, synthesizing circuits and formal verification, in particular model checking.

BDDs were systematically studied first by Randal E. Bryant (Graph-based algo-rithms for Boolean function manipulation. IEEE Transactions on Computers 8(C-35), 1986).

There are several BDD packages that are able to efficiently construct and manipulateBDDs, for example BuDDy (Kopenhagen), CUDD (Boulder).


3.6.8 Exercises

(a) Draw the truth table of the logic gate defined by the BDD (or decision tree) ofExample 3.6.4.

(b) Find a DNF defining the logic gate in (a).

(c) Find a CNF defining the logic gate in (a).

(d) Construct the decision tree for the logic gate in (a) with respect to the variableordering C,A,B.

(e) Transform the decision tree in (d) into an ROBDD.

(f) Construct ROBDDs for the formula

(A1 ∧ A2) ∨ (A3 ∧ A4) ∨ ∨(A3 ∧ A4)

with respect to the following variable orderings (see the discussion in Sec-tion 3.6.6):

(i) A1, A2, A3, A4, A5, A6

(ii) A1, A3, A5, A2, A4, A6

(g) Show that a program that transforms a CNF into the corresponding ROBDD(with respect of some given variable ordering) can be used to solve the satisfi-ability problem for CNFs.

(h) What can you deduce from (g) regarding the computational complexity of com-puting a reduced ordered BDD from a CNF (without using other complexityresults about ROBDDs)?

(i) Give the ROBDD for the formula given in Exercise 3.1.6 expressing the pigeonhole principle for three pigeons and two holes.

(j) Write down a formula that expresses the pigeon hole principle for two pigeonsand two holes.

(k) Is the formula in (j) a Horn formula?

(l) Draw the truth table for the logic gate defined by the formula in (j).

(m) Give the ROBDD for the logic gate you found in (l).


4 The Compactness Theorem

The Compactness Theorem is a fundamental result in logic with many applications inmathematics, automated theorem proving, satisfiability testing and other areas. Thetheorem refers to the notion of satisfiability of a (typically infinite) set of formulas.We first define this and related notions.

4.1 Satisfiability and logical consequence for sets of formulas

Since we consider infinite sets of formulas we also need to consider infinite assignmentswhich assign to infinitely many atomic propositions P1, P2, . . . truth values in {0, 1}.Hence an assignment can either be

finite (as before), that is α = (α(P1), α(P2), . . . , α(Pn)) ∈ {0, 1}n,

or infinite, that is α = (α(P1), α(P2), . . .) ∈ {0, 1}N.

4.1.1 Definition (Model, Satisfiability, for a set of formulas)

Let Γ be a set of formulas.

An assignment α is a model of Γ if [[F ]]α = 1 for all formulas F ∈ Γ. One also says αsatisfies Γ and writes

α |= Γ

Γ is satisfiable if it has a model.

If a set of formulas has no model, then it is called unsatisfiable.

Warning: It is not true that a set of formulas Γ is satisfiable if and only if allformulas in Γ are satisfiable! Give a counterexample!

4.1.2 Definition (Logical consequence)

A formula G is a logical consequence of a set of formulas Γ if every model of Γ is amodel of G, that is, for all assignments α, if α |= Γ, then α |= G (recall that α |= Gmeans [[G]]α = 1). One also says Γ logically implies G and writes

Γ |= G

Remarks .


1. A formula G is a tautology if and only ∅ |= G. Instead of ∅ |= G one also writesjust |= G.

2. For finite sets of formulas the new notions can be explained in terms of notionsintroduced earlier:

{F1, . . . , Fn} is satisfiable if and only F1 ∧ . . . ∧ Fn is satisfiable,

{F1, . . . , Fn} |= G if and only F1 ∧ . . . ∧ Fn → G is a tautology.

4.1.3 Exercise

Let Γ be a set of formulas and G a formula. Show:

(a) Γ |= G if and only if Γ ∪ {¬G} is unsatisfiable.

(b) If Γ |= G and Γ is satisfiable, then G is satisfiable.

Solution.

(a) For the implication from left to right assume Γ |= G. We show that Γ ∪ {¬G} isunsatisfiable. Let α be an assignment. We have to show α 6|= Γ ∪ {¬G}.Case 1: α 6|= Γ. Then α 6|= Γ ∪ {¬G}.Case 2: α |= Γ. Since we assumed that Γ |= G, it follows that α |= G, that is[[G]]α = 1. Hence [[¬G]]α = 0, that is, α 6|= ¬G. Therefore α 6|= Γ ∪ {¬G}.

For the opposite implication we assume that Γ ∪ {¬G} is unsatisfiable. We showΓ |= G. Assume α |= Γ. We have to show α |= G. Assume not, that is [[G]]α = 0.Then [[¬G]]α = 1, that is α |= ¬G. Hence α |= Γ∪{¬G} contradicting the assumptionthat Γ ∪ {¬G} is unsatisfiable.

(b) Assume that Γ |= G and Γ is satisfiable. We show that G is satisfiable. Since Γis satisfiable, there exists an assignment α such that α |= Γ. Since we assumed thatΓ |= G, it follows that α |= G. Hence G is satisfiable.

4.1.4 Exercises (Schoening, Ex. 7)

Give an example of a set Γ of 3 formulas such that Γ is unsatisfiable, but every2-element subset of it is satisfiable.

Solution. Consider the 3 formulas A, B and ¬A ∨ ¬B where A and B are atomic.It is easy to check that these have the desired property.


4.2 Konig’s Lemma

The essence of the proof of the Compactness Theorem is a theorem about binarytrees called Konig’s Lemma.

4.2.1 Definition (Binary Tree)

Let β ∈ {0, 1}n and β′ ∈ {0, 1}m be finite assignments. We say β′ is a restriction ofβ, or β is an extension of β′, written β′ ⊆ β, if m ≤ n and β′(Pi) = β(Pi) for alli ∈ {1, . . . ,m}.A binary tree is a set T of finite assignments which is closed under restriction, thatis, if β ∈ T and β′ ⊆ α, then β′ ∈ T . The elements of T are also called the nodes ofT . The length of a node is also called its depth.

An infinite path in a binary tree T is an infinite assignment α = (α(P1), α(P2), . . .)such that for all n ∈ N the finite assignment α(n) := (α(P1), . . . , α(Pn)) is in T .

ε

0 ��

1@@@

0

0 ��

1AAA

1

0 ��

00

0 ��

1CCC

01 10

0 ��

000 001 100

The binary tree {ε, 0, 1, 00, 01, 10, 000, 001, 100}

4.2.2 Theorem (Konig’s Lemma)

Every infinite binary tree has an infinite path.

Proof. Let T be an infinite binary tree.

We define an infinite assignment α = (α(P1), α(P2), . . .) as follows:

We set α(P1) := 0 if for infinitely many β ∈ T we have β(P1) = 0 (that is, the leftsubtree of T is infinite), otherwise we set α(P1) := 1 (in that case the right subtreeof T is infinite, because T is infinite).

In any case there are infinitely many assignments β ∈ T with β(P1) = α(P1).


With a similar argument we define α(P2) ∈ {0, 1} such that there are infinitely manyassignments β ∈ T with β(P1) = α(P1) and β(P2) = α(P2).

Repeating this procedure over and over again we obtain an infinite assignment α =(α(P1), α(P2), . . .) such that for each n there are infinitely many β ∈ T with β(Pi) =α(Pi) for all i ∈ {1, . . . , n}. Since T is closed under restrictions it follows in particularthat α(n) ∈ T for all n ∈ N, that is, α is an infinite path in T . This completes theproof.

Remarks.

1. The construction of the infinite path α is not effective since it is impossible todecide effectively which subtree of an infinite binary tree is infinite. In fact, thereexists a computable infinite tree, the so-called Kleene tree, which has no infinitecomputable path (it has, of course an infinite path, according to Konig’s Lemma, butthis path is not computable).

2. Konig’s Lemma holds more generally for finitely branching trees (instead of justbinary trees), that is, trees where every node has only finitely many children. Konig’sLemma fails for infinitely branching trees, even if we strengthen the hypothesis of Tbeing infinite to T being infinitely deep, that is, having arbitrarily deep nodes.

4.3 Statement and proof of the Compactness Theorem

With the help of Konig’s lemma it is now easy to prove the Compactness Theorem.

4.3.1 Theorem (Compactness Theorem)

Let Γ be a set of formulas such that every finite subset of Γ is satisfiable. Then Γ issatisfiable.

Proof. If there are only finitely many atomic formulas occurring in Γ, then the num-ber of logic gates defined by some formula in Γ is finite (though very large). Therefore,we can select finitely many formulas F1, . . . , Fn such that any such logic gate is de-fined by some Fi. Hence every F ∈ Γ is equivalent to some Fi. By assumption, theset {F1, . . . , Fn} has a model α which necessarily is then a model of Γ.

Hence, we consider now the interesting case that Γ is infinite, and there are infinitelymany atomic propositions occurring in Γ, say

P1, P2, . . .


For every natural number n we let Γn be the set of those formulas in Γ which containat most the atomic propositions P1, . . . , Pn. Clearly

Γ =⋃n∈N

Γn

By the argument above, each Γn is satisfiable (since there are only finitely manyatomic formulas occurring in Γn).

We setTn := {β ∈ {0, 1}n | β |= Γn}

Hence, Tn is the set of those finite assignments β that assign values to P1, . . . , Pn (andmaybe other atomic propositions) and satisfy Γn.

Since Γn is satisfiable, Tn is non-empty for each n.

Let T be the union of all the Tn. Clearly, T is a tree, since if β = (b1, . . . , bn) ∈ Tnand β′ ⊆ β, say β′ = (b1, . . . , bk) with k ≤ n, then β′ ∈ Tk.

Since all the Tn are nonempty, T is infinite. By Konig’s Lemma, T has an infinitepath

α = (a1, a2, . . .)

This means that α(P1) = a1, α(P2) = a2, and so on, and α(n) = (a1, . . . , an) ∈ Tn.Hence α(n) |= Γn and consequently α |= Γn for all n. Therefore, α |= Γ. Thiscompletes the proof.

4.3.2 Corollary

(a) If a set of formulas is unsatisfiable, then it has a finite unsatisfiable subset.

(b) If Γ |= G, then Γ0 |= G for some finite subset Γ0 of Γ.

Proof.

(a) This is the contrapositive of the Compactness Theorem.

(b) Assume Γ |= G. By Exercise , Γ ∪ {¬G} is unsatisfiable. By part (a) above,there exists a finite unsatisfiable subset Γ1 of Γ ∪ {¬G}. Set Γ0 := Γ1 ∩ Γ. Clearly,Γ0 is finite. Furthermore, Γ1 ⊆ Γ0 ∪ {¬G}. Hence Γ0 ∪ {¬G} is unsatisfiable. ByExercise it follows that Γ0 |= G.


4.3.3 Definition (Axiom system)

Let Γ be a set of formulas. A set of formulas Γ0 is an axiom system for Γ if Γ and Γ0

have the same models, that is for every assignment α,

α |= Γ if and only if α |= Γ0

A set of formulas is called finitely axiomatisable if it has a finite axiom system.

4.3.4 Exercise

(a) Show that Γ0 is an axiom system for Γ if and only if

(i) Γ |= G for every G ∈ Γ0 and

(ii) Γ0 |= F for every F ∈ Γ.

(b) Show that Γ is finitely axiomatisable if and only if there exists a formula G suchthat

(i) Γ |= G and

(ii) |= G→ F (that is, {G} |= F ) for every F ∈ Γ.

Solution. Part (a) is obvious: (i) is equivalent to the implication “if α |= Γ thenα |= Γ0” (for all α), and (ii) is equivalent to the converse implication “if α |= Γ0 thenα |= Γ”.

Part (b) follows from part (a) since the finite set of formulas Γ0, say, Γ0 = {F1, . . . , Fn}can be replaced by the conjunction of its elements F1 ∧ . . . ∧ Fn.

4.3.5 Exercise

Let Γ = {F1, F2, . . .} be an infinite set of formulas such that |= Fn+1 → Fn, but6|= Fn → Fn+1 for all n ∈ N. Show that Γ is not finitely axiomatisable.

Solution. If Γ were finitely axiomatisable, then by Exercise 4.3.4 (b), there wouldexist a formula G such that Γ |= G and |= G → F for every F ∈ Γ. By theCompactness Theorem, there exists a finite subset Γ0 of Γ such that Γ0 |= G. SinceΓ0 is finite, there exists k ∈ N such that Γ0 ⊆ {F1, . . . , Fk}. Since |= Fn+1 → Fn forall n ∈ N, it follows that |= Fk → F for all F ∈ Γ0. Since Γ0 |= G, it follows thatFk |= G. Since |= G → F for all F ∈ Γ, we have in particular that |= G → Fk+1.Therefore, |= Fk → Fk+1, contradicting the assumption that 6|= Fn → Fn+1 for alln ∈ N.


4.3.6 Example (Four Colour Theorem)

As an application of the Compactness Theorem we show that the Four Colour Theo-rem for infinite maps or graphs can be derived from its finite version. Below we meanby a map a separation of the plane into regions, called countries. A map is finite ifthe number of regions is finite.

Four Colour Theorem. Every finite map can be coloured by 4 colours such thatneighbouring countries have different colours.

A map of Europe coloured using only four colours (Wikimedia Commons)

The theorem was proven in 1975 by Appel and Haken with the help of a computer.Since the proof was too complex to be checked by a human, some doubts remainedabout its validity. In 1997, Robertson, Sanders, Seymour, and Thomas gave a simplerproof which still required help by a computer, and in 2005 the whole proof wasformalized by Gonthier in the interactive proof system Coq. Now the proof is widelyaccepted. The Four Colour Theorem is the first theorem for which no proof withoutcomputer assistance is known.


Deciding whether a given finite map can be coloured with only three colours is anNP-complete problem (Dayley 1980).

The Four Colour Theorem for finite maps can be restated in terms of undirectedplanar graphs (a graph is planar if it can be drawn in the plane without crossingedges), where the nodes corresponds to a country and two nodes that are connectedby an edge correspond to neighbouring countries:

Each finite planar graph has a colouring of the nodes (or vertices) using notmore than four colours such that nodes connected by an edge have differentcolours.

The infinite Four Colour Theorem is the same statement, but for infinite maps, thatis, infinite planar graphs.

To show that the infinite Four Colour Theorem holds, we express the statement by aset of propositional formulas.

Let G be an infinite planar graph.

For every n ∈ N (representing a node or country) and every c ∈ {1, 2, 3, 4} repre-senting a colour) we introduce an atomic proposition Pn,c with the intended meaningthat node n has colour c.

We write down formulas that express that G has a 4-colouring.

1. Pn,1 ∨ Pn,2 ∨ Pn,3 ∨ Pn,4 for every n ∈ N (every node has a colour)

2. ¬(Pn,c ∧ Pn,d) for every n ∈ N and all c, d ∈ {1, 2, 3, 4}, c 6= d (a node can haveonly one colour).

3. ¬(Pn,c∧Pm,c) for all n,m ∈ N that are connected by an edge and c ∈ {1, 2, 3, 4}(neighbouring nodes have different colours).

Let Γ be the set of all these formulas. Clearly Γ is satisfiable if and only if the graphG admits a 4-colouring (and any satisfying assignment will define such a colouring).

By the Compactness Theorem it suffices to show that every finite subset of Γ issatisfiable. Let Γ0 be such a finite subset. Let G0 the subgraph of G that is formedby those nodes that are mentioned in Γ0. G0 is finite since Γ0 is finite. By the finiteFour Colour Theorem, G0 admits a 4-colouring which defines a satisfying assignmentfor Γ0. Hence Γ0 is satisfiable.

This completes the proof.


5 Natural Deduction Proofs

We now study a system of simple proof rules for deriving tautologies, that is, logicallyvalid formulas. The famous Completeness Theorem, by the Austrian logician KurtGodel, states that this system of rules suffices to derive in fact all tautologies. Godelproved this theorem for an extension of propositional logic, called first-order predicatelogic, which we will study later.

Kurt Godel (1906-1978)

The proof calculus of Natural Deduction was first introduced by the German math-ematician and logician Gerhard Gentzen (1909-1945) and further developed by theSwedish philosopher and logician Dag Prawitz (born 1936).

Compared with other proof calculi, e.g. Sequent Calculi, or Hilbert Calculi, NaturalDeduction has the advantage of being

• close to the natural way of human reasoning, and thus easy to learn;

• closely related to functional programming, and thus is particularly well suitedfor program synthesis from proofs, which we will study later in the course.

In the following, A, B, C stand for arbitrary propositional formulas unless statedotherwise. In order to simplify things, from now on we view a negation, ¬A, as anabbreviation for the implication A→ ⊥. This is justified since the two formulas areequivalent.


5.1 Definition (Sequent)

A sequent is a syntactic object

A1, . . . , Ak ` B

where A1, . . . , Ak, B are formulas. The idea of a sequent is to express that the as-sumptions A1, . . . , Ak logically imply the conclusion B, that is, {A1, . . . , Ak} |= Bholds. A1, . . . , Ak are called the assumptions (or antecedent) and B the consequenceor succedent of the sequent. In the antecedent A1, . . . , Ak we ignore the order andmultiplicities of formulas, that is, we consider the antecedent as a set of formulas.Hence, a more accurate notation for a sequent would be {A1, . . . , Ak} ` B, but it iscommon to omit the curly braces. We often denote the antecedent of a sequent bythe letter Γ. Furthermore, we write Γ, A as a shorthand for Γ ∪ {A}.

5.2 Definition (Derivation)

A derivation (or formal proof ) is a finite tree (drawn correctly, that is, leaves ontop and root at the bottom), where each node is labelled by a sequent and a ruleaccording to figure 1 on page 47.

There is an Assumption rule, and for each logical connective there are two kinds ofrules:

Introduction rules , describing how to obtain a formula built from that connec-tive;

Elimination rules , describing how to use a formula built from that connective.

The sequent at the root of a derivation is called the end sequent. The assumptionrule could be equivalently written

Γ ` A, provided A ∈ Γ

The assumptions of the end sequent of a derivation are called the free assumptionsof a derivation.

5.3 Definition (Classical provability)

A sequent Γ ` A is called derivable if there is a derivation with end sequent Γ ` A.We also say that A is derivable from the assumptions Γ.

In the special case when Γ is empty, we say that A is derivable.


Assumption rule useΓ, A ` A

Introduction rules Elimination rules

∧ Γ ` A Γ ` B ∧+Γ ` A ∧B

Γ ` A ∧B ∧−l

Γ ` AΓ ` A ∧B ∧−r

Γ ` B

→ Γ, A ` B→+

Γ ` A→ BΓ ` A→ B Γ ` A →−

Γ ` B

∨ Γ ` A ∨+l

Γ ` A ∨BΓ ` B ∨+r

Γ ` A ∨BΓ ` A ∨B Γ ` A→ C Γ ` B → C ∨−

Γ ` C

⊥ Γ ` ⊥ efqΓ ` A

Γ ` ¬¬A raaΓ ` A

Figure 1: The rules of natural deduction for propositional logic (sequent notation)

5.4 Examples

1. We begin with a derivation involving the conjunction introduction rule, ∧+, andthe conjunction elimination rules, ∧−l and ∧−r .

useA ∧B ` A ∧B ∧−rA ∧B ` B

useA ∧B ` A ∧B ∧−

lA ∧B ` A ∧+

A ∧B ` B ∧ A

2. If we add to the derivation in Example 1 an application of the implication intro-duction rule, →+, we obtain a proof of A ∧B → B ∧ A without assumptions:

useA ∧B ` A ∧B ∧−rA ∧B ` B

useA ∧B ` A ∧B ∧−

lA ∧B ` A ∧+

A ∧B ` B ∧ A →+

` A ∧B → B ∧ A


3. In the following derivation of the formula A→ (B → A) we use the rule→+ twice.

useA,B ` A

→+

A ` B → A →+

` A→ (B → A)

4. Next let us derive (A→ (B → C))→ (A∧B → C). Here we use for the first timethe implication elimination rule, →−, also called modus ponens. The easiest way tofind the derivations is to construct it “bottom up”.

useA ∧B → C,A,B ` A ∧B → C

useA ∧B → C,A,B ` A

useA ∧B → C,A,B ` B

∧+A ∧B → C,A,B ` A ∧B

→−A ∧B → C,A,B ` C

→+

A ∧B → C,A ` B → C→+

A ∧B → C ` A→ (B → C)→+

` (A ∧B → C)→ (A→ (B → C))

At the latest at this point we notice that even fairly simple derivations as the oneabove are very tedious to write down and difficult to read because so many formulasare repeated over and over again in the assumptions of sequents.

The following observation leads to a much more concise notation for derivations thatlargely avoids repetitions of formulas: The assumptions of a sequent in a derivationconsist of formulas that

are free assumptions, that is, occur in the antecedent of the end sequent of thederivation, or

are “introduced” by the rule →+.

Furthermore, the only rule where an assumption is “used” is the assumption rule.

Hence, the assumptions may be notationally omitted provided

the free assumptions are listed with labels, and

the introduction of an assumption via →+ is indicated by a label.


When an assumption is used in an assumption rule one refers to the correspondinglabel.

Following this idea, the previous derivation now reads:

u : A ∧B → Cv : A w : B ∧+

A ∧B →−C →+w

B → C →+vA→ (B → C)

→+u(A ∧B → C)→ (A→ (B → C))

Note that the (invisible) assumptions at each point of the derivation consists of theformulas X for which there is a rule of the form

Y →+zX → Y

below that point. Consequently, assumptions are allowed exactly if they are of theform z : X for such z and X. In this example there were no free assumptions.

To display the derivation 1, we list the only free assumption

u : A ∧B

and the derivation is

u : A ∧B ∧−rB

u : A ∧B ∧−l

A ∧+B ∧ A

5.5 Exercise

Write the derivations 2 and 3 above using the new shorthand notation.

The derivation rules themselves can be rewritten in the new style as well, as shownin figure 2 on page 50.


Assumption rule (*) u : A


∧ A B ∧+A ∧B

A ∧B ∧−l

A

A ∧B ∧−rB

→ B →+uA→ B

A→ B A →−B

∨ A ∨+l

A ∨BB ∨+r

A ∨BA ∨B A→ C B → C ∨−

C

⊥ ⊥ efqA

¬¬A raaA

Figure 2: The rules of natural deduction for propositional logic (short notation)

The correctness condition (*) for an instance u : A of the assumption rule is that

u : A is among the listed free assumptions, or

below the occurrence of that assumption rule there is a rule of the form

B →+uA→ B

In the following, when writing down concrete derivations, we will always work withthe shorthand notation.

5. In order to familiarise ourselves with the disjunction introduction rules, ∨+l , ∨+r ,and the disjunction elimination rule, ∨−, we derive the formula A ∨B → B ∨ A.

u : A ∨B

v : A ∨+rB ∨ A →+v

A→ B ∨ A

w : B ∨+l

B ∨ A →+wB → B ∨ A ∨−

B ∨ A →+uA ∨B → B ∨ A


6. As a slightly more complicated example we derive (one half of) one of de-Morgan’slaws, A ∧ (B ∨ C)→ (A ∧B) ∨ (A ∧ C).

u : A ∧ (B ∨ C)∧−r

B ∨ C

u : A ∧ (B ∨ C) ∧−l

A v : B ∧+A ∧B ∨+

l(A ∧B) ∨ (A ∧ C)

→+vB → (A ∧B) ∨ (A ∧ C)

u : A ∧ (B ∨ C) ∧−l

A w : C ∧+A ∧ C ∨+r

(A ∧B) ∨ (A ∧ C)→+w

C → (A ∧B) ∨ (A ∧ C)∨−

(A ∧B) ∨ (A ∧ C)→+u

A ∧ (B ∨ C)→ (A ∧B) ∨ (A ∧ C)

7. Finally, we turn our attention to the rules concerning absurdity, ⊥, namely ex-falso-quodlibet, efq, and reductio-ad-absurdum, raa. Recall that ¬A is shorthand forA → ⊥, and therefore ¬¬A stands for (A → ⊥) → ⊥. We derive Peirce’s law(A→ B)→ A→ A:

v : ¬Au : (A→ B)→ A

v : ¬A w : A →−⊥ efqB →+w

A→ B→−

A →−⊥ →+v¬¬A raaA →+u

((A→ B)→ A)→ A

8. The rule ex-falso-quodlibet is weaker than reductio-ad-absurdum in the sense thatthe former can be obtained from the latter: From the assumption ⊥ we can derive anyformulaA without using ex-falso-quodlibet (but using reductio-ad-absurdum instead):

⊥ →+u(A→ ⊥)→ ⊥

raaA


5.6 Definition

Let Γ be a (possibly infinite) set of formulas and A a formula.

Γ `c A : ⇔ Γ0 ` A is derivable for some finite subset Γ0 of Γ.

(A is derivable from Γ in classical logic)

Γ `i A : ⇔ Γ `c A with a derivation not using the rule reductio-ad-absurdum.

(A is derivable from Γ in intuitionistic logic)

Γ `m A : ⇔ Γ `c A with a derivation using neither the rule reductio-ad-absurdum nor the rule ex-falso-quodlibet.

(A is derivable from Γ in minimal logic)

5.7 Soundness and completeness

The soundness and completeness theorems below state that the logical inference rulesintroduced above precisely capture the notion of logical consequence.

5.8 Soundness Theorem

If Γ `c A then Γ |= A.

Proof. The theorem follows immediately from the following statement which can beeasily shown by induction on derivations:

For every set of formulas Γ and every formula A,

if Γ `c A then α |= A for all models α of Γ

.

Whilst the soundness theorem is not very surprising, because it just states that theinference rules are correct, the following completeness theorem proved by Godel,states that the logical inference rules above in fact capture all possible ways of correctreasoning.


5.9 Completeness Theorem

If Γ |= A then Γ `c A.

In words: If A is a logical consequence of Γ (i.e. A is true in all models of Γ), thenthis can be formally derived by the inference rules of natural deduction.

It is important that the Completeness Theorem holds for other logics as well. Inparticular it holds for first-order predicate logic which we will study later.

For propositional logic, the Completeness Theorem is an easy consequence of theCompactness Theorem:

5.10 Exercise

Sketch a proof of the Completeness Theorem for Propositional Logic using the Com-pactness Theorem and the fact that every formula is provably equivalent to a formulain CNF.

Solution.

Assume Γ |= A. By the Compactness Theorem, there are finitely many formulasB1, . . . , Bn ∈ Γ such that {B1, . . . , Bn} |= A. Hence B1∧ . . .∧Bn → A is a tautology.

It suffices to show that B1 ∧ . . . ∧ Bn → A is derivable in classical logic, that is`c B1 ∧ . . . ∧Bn → A. Because then {B1, . . . , Bn} ` A is derivable and consequentlyΓ `c A.

Therefore, in order to complete the proof of the Completeness Theorem, it sufficesto show that all propositional tautologies are derivable in classical logic. This canbe done as follows: Any formula F can be transformed into an equivalent formula inConjunctive Normal Form, that is,

F ≡ C1 ∧ . . . ∧ Cn

where each Ci is a disjunctive clause. Moreover the equivalence can be formallyproven, that is,

`c F ↔ C1 ∧ . . . ∧ CnTo construct the derivation one uses formal proofs of the de-Morgan laws and lawsexpressing implication in terms of disjunction and negation. This is a bit tedious,but easy.

Now, F is a tautology if and only if every Ci is a tautology. Hence, we furtherreduced the problem to showing that all disjunctive clauses which are tautologies arederivable.


So, take any disjunctive clause

C = L1 ∨ . . . ∨ Lk

Clearly, C is a tautology if and only if it contains two complementary literals, sayLi = A and Lj = ¬A where A is an atomic proposition. But A ∨ ¬A is derivable inclassical logic. Hence C is derivable.

The following consequences of the Completeness Theorem refer to the notion of con-sistency.

5.11 Definition (Formal consistency)

A (possibly infinite) set of formulas Γ is called formally consistent if Γ 6`c ⊥, thatis there is no (classical) derivation of ⊥ from assumptions in Γ.

In other words: A set of formulas is consistent if and only if no contradiction can bederived from it.

5.12 Lemma

A set of formulas Γ is satisfiable if and only if Γ 6|= ⊥.

Proof. “⇒”: Assume that Γ is satisfiable. This means that there exists an assign-ment α such that α |= Γ. Clearly α 6|= ⊥ (since [[⊥]]α = 0). Therefore, Γ 6|= ⊥.

“⇒”: Assume Γ 6|= ⊥. This means it is not true that for all assignments α such thatα |= Γ it follows that α |= ⊥. Therefore, there exists an assignment α such thatα |= Γ, but α 6|= ⊥. In particular, there exists an assignment such that α |= Γ, whichmeans that Γ is satisfiable.

5.13 Satisfiability Theorem

A set of formulas is formally consistent if and only it is satisfiable.

Proof. Let Γ be a set of formulas. Using Lemma 5.12 above we can rephrase thestatement we have to prove equivalently as

Γ 6`c ⊥ if and only if Γ 6|= ⊥


or, equivalently, negating both sides, as

Γ `c ⊥ if and only if Γ |= ⊥.

But this is the Soundness and and Completeness Theorem (7.7.1, 7.7.2) for A := ⊥.

Remark . If Γ is satisfiable (that is Γ 6|= ⊥) one often also says that Γ is semanticallyconsistent. Hence the Satisfiability Theorem can also be phrased as follows:

A set of formulas is formally consistent if and only if it is semantically consistent.

Since formal consistency and semantic consistency coincides one often omits the pred-icate “formal” and “semantic” and just speaks of “consistency”.

5.14 Exercise

Prove the Compactness Theorem from the Soundness and Completeness Theorem.

Solution. Let Γ be a set of formulas such that every finite subset of Γ is satisfiable.By Lemma 5.12, this means that for every finite subset Γ0 of Γ we have Γ0 6|= ⊥.By the Soundness Theorem 7.7.1, it follows that for every finite subset Γ0 of Γ wehave Γ0 6`c ⊥. Therefore Γ 6`c ⊥, since if we had a derivation of ⊥ from Γ, thisderivation would be finite and would hence use only finitely many formulas in Γ asassumptions which would mean that Γ0 `c ⊥ for some finite subset Γ0 of Γ. Fromthe Completeness Theorem 7.7.2 it follows that Γ 6|= ⊥ which, by Lemma 5.12, meansthat Γ is satisfiable.

5.15 Exercises

Derive the following formulas

1. Minimal logic

(a) (A→ ¬B)→ (B → ¬A)

(b) (A→ (B → C))→ ((A→ B)→ (A→ C))

(c) A→ ¬¬A

(d) ¬(A ∧ ¬A)


(e) (A ∧ (B ∨ C))↔ ((A ∧B) ∨ (A ∧ C))

(f) (A ∨B)→ ¬(¬A ∧ ¬B)

(g) ¬(A↔ ¬A)

(f) A→ ¬(A∧B)→ (C → B)→ ¬C (essentially the “John the teacher” example)

2. Intuitionistic logic

(a) (A ∧ ¬A)→ C

(b) (¬A ∨B)→ (A→ B)

(c) (¬¬A→ A)↔ ((¬A→ A)→ A)

(d) (A ∨B)→ (¬A→ B)

3. Classical logic

(a) ¬¬A→ A

(b) (¬A→ A)→ A

(c) A ∨ ¬A

(d) ¬(¬A ∧ ¬B)→ (A ∨B)

(e) ¬(¬A ∨ ¬B)→ (A ∧B)

(f) ¬(A→ B)→ A ∧ ¬B

Sample Solution: We give a derivation for 3 (f):

u : (A→ B)→ ⊥

v : A→ ⊥ w : A →−⊥ efqB →+ w : AA→ B

→−⊥ →+ v : A→ ⊥(A→ ⊥)→ ⊥

raaA

u : (A→ B)→ ⊥x : B →+ y : AA→ B

→−⊥ →+ x : BB → ⊥ ∧+A ∧ (B → ⊥)

→+ u : (A→ B)→ ⊥((A→ B)→ ⊥)→ (A ∧ (B → ⊥))


6 Resolution

This chapter follows closely the text book [6].

Resolution is a proof method used in logic programming and automatic theoremproving. A resolution proof shows that a given formula in CNF is unsatisfiable.Resolution is defined for formulas in CNF only, and it has only one proof rule.

Recall that a literal is an atomic proposition, or the negation of an atomic proposition.For any literal L we define the dual (or opposite or complementary) literal L as

L :=

{¬A if L = A (an atomic proposition)A if L = ¬A

By a clause we mean in the following always a disjunctive clause, that is, a disjunctionof literals. It is convenient to view a clause simply as a (finite) set of literals (connectedimplicitly by ∨).

We consider a formula in conjunctive normal form (CNF) as a (finite) set of clauses(connected implicitly by ∧). Hence, in the following “set of clauses” and “CNFformula” means the same.

6.1 Example

An example of a CNF formula written in set notation is

F := {{A,E,¬B}, {¬A,B,C}, {¬A,¬D,¬E}, {A,D}}

where A,B,C,D,E are atomic formulas. This means

F = (A ∨ E ∨ ¬B) ∧ (¬A ∨B ∨ C) ∧ (¬A ∨ ¬D ∨ ¬E) ∧ (A ∨D)

The set notation implies that one ignores the order of literals and clauses as well asany duplications of literals or clauses. For example, the CNF formula

{{A,B}, {A,¬B,A}, {¬B,¬B,A}}

is the same as{{¬B,A}, {B,A}}

This means that

(A ∨B) ∧ (A ∨ ¬B ∨ A) ∧ (¬B ∨ ¬B ∨ A)

is identified with(¬B ∨ A) ∧ (B ∨ A)


6.2 Definition (Resolvent)

Let C1 and C2 be (disjunctive) clauses. A clause C is called a resolvent of C1 and C2

if there is a literal L ∈ C1 such that L ∈ C2 and

C = (C1 \ {L}) ∪ (C2 \ {L})

We also write

C1 C2R

C

to indicate that C is a resolvent of C1 and C2. For example

A ∨B ∨ ¬C ¬B ∨ ¬CR

A ∨ ¬C

Since ¬A ∨B is equivalent to A→ B, the following special cases of resolution

¬A ∨B ¬B ∨ CR¬A ∨ C

¬A ∨B AR

B

correspond to transitivity of implication and modus ponens (or implication elimina-tion), respectively

A→ B B → CA→ C

A→ B A →−B

6.3 Exercise

Compute all resolvents that can be generated from clauses in the CNF formula F ofExample 6.1.

A clause it is called trivial (or tautological) if it contains opposite literals. For examplethe clauses A∨E ∨¬B and ¬A∨B ∨C have the resolvent B ∨C ∨E ∨¬B which isa trivial clause since it contains the opposite literals B and ¬B. Trivial clauses aretautologies, that is, equivalent to >, and can therefore deleted from a CNF withoutchanging its meaning (because > ∧ A ≡ A for every formula A).

A clause C1 is said to subsume a clause C2 if C1 is a subset of C2. For exampleA ∨ ¬C subsumes A ∨ B ∨ ¬C ∨ D. Clauses that are subsumed by another clausecan be deleted without changing the meaning of the CNF (because C ∧ (C ∨ A) isequivalent to C). We identify a CNF with the equivalent CNF where all clauses


that are trivial or subsumed by another clause are deleted. For example the CNFA ∧ (B ∨ C) ∧ (A ∨ ¬B) is identified with A ∧ (B ∨ C)

A clause is called a unit clause if it contains exactly one literal. If we resolve twounit clauses, say {A} and {¬A}, we obtain the empty clause as resolvent whichcorresponds to an empty disjunction. Since the empty disjunction is, by convention,defined as the false proposition, we denote it by ⊥.

A ¬AR⊥

Since the empty clause is unsatisfiable, any CNF formula containing the empty clauseis unsatisfiable.

Given a CNF F (that is, a set of clauses) one tries to show that F is unsatisfiable byderiving the empty clause from it through repeated resolution steps.

6.4 Resolution Lemma

Let F be a CNF formula. Let C be a resolvent of two clauses in C1 and C2 in F .Then F and F ∪ {C} are equivalent.

Proof. One can either prove this by showing directly that F and F ∪ {C} have thesame value for all assignments, or give a formal proof that F implies C. For thelatter it suffices to show that, for arbitrary formulas C,D,A we have that C ∨A andD ∨ ¬A together imply C ∨D. This holds even in intuitionistic logic:

`i (C ∨ A)→ (D ∨ ¬A)→ (C ∨D)

We leave this as an exercise.

6.5 Definition (Resolution Derivation)

A resolution derivation or (proof ) of the empty clause from a clause set F is a sequenceC1, C2, . . . , Cm of different clauses such that

Cm is the empty clause, and for every i = 1, . . . ,m, Ci either is a clause in For a resolvent of two clauses Ca, Cb with a, b ≤ i.


6.6 Theorem (Soundness for Resolution Derivations)

If there is a resolution derivation of the empty clause from a clause set F , then F isunsatisfiable.

Proof.

This is a direct consequence of the Resolution Lemma (6.4). If the empty clause isderived from F , then the empty clause follows from F . Therefore, any satisfyingassignment for F would satisfy the empty clause, which is impossible.

6.7 Theorem (Completeness for Resolution Derivations)

If a clause set F is unsatisfiable, then there is a resolution derivation of the emptyclause from F .

Proof (Sketch).

If the empty clause is in F , then the empty clause is a trivial resolution derivation ofof the empty clause from F .

Therefore, we assume in the following that F does not contain the empty clause.

Let the excess of F be the number of occurrences of literals in F minus the numberof clauses in F .

The proof proceeds by induction on the excess of F .

If the excess of F is 0 then all clauses in F are unit clauses. Since F is unsatisfiable,there must be two clauses with opposite literals. Resolving these two clause yieldsthe empty clause, and we are done.

Now assume the excess of F is greater than 0. Since F does not contain the emptyclause, there must be at least one nonunit clause, say C. We select a literal L formC and form new clauses C0 := C \ {L}. and C1 := {L}.

Since F is unsatisfiable and C0 subsumes C, the clause set F0 := (F \ {C}) ∪ {C0}is unsatisfiable as well. Moreover, the excess of F0 is smaller than the excess of F .Therefore, by induction hypothesis, there is a resolution derivation d0 of the emptyclause from F0.

Similarly, the clause set F1 := (F \{C})∪{C1} is unsatisfiable, and, since its excess issmaller than the excess of F , there is, by induction hypothesis, a resolution derivationof the empty clause from F0.

If C0 is not used in d0, then d0 is in fact a derivation of the empty clause from F andwe are done.


Otherwise, we add L back into C0 and all its descendants in d0 and get a new deriva-tion d′0, which is a derivation from F . If d′0 still ends with the empty clause, then weare done. Otherwise, d′0 must end with the clause {L}(= C1).

Now we can append d1 at the end of d′0 and obtain a derivation from F of the emptyclause.

6.8 Example

Let F = (A∨B∨¬C)∧¬A∧(A∨B∨C)∧(A∨¬B). We prove that F is unsatisfiableby the following resolution derivation (a comment (i, j) means “resolvent of clauses iand j”, no comment means “clause from F”):

1 A ∨B ∨ ¬C2 A ∨B ∨ C3 A ∨B (1,2)4 A ∨ ¬B5 A (3,4)6 ¬A7 ⊥ (5,6)

Remark. In some cases resolution derivations can be found rather quickly, but there doexist examples for unsatisfiable formulas where exponentially many resolvents have tobe generated before the empty clause is derived. (cf. A. Urquhart. Hard examples forresolution. Journal of the Association of Computing Machinery 34(1987):209-219).

6.9 Exercise (2-SAT)

Show that resolution for CNFs whose clauses have length at most two terminates incubic time.

Solution. A resolvent of clauses of lengths ≤ 2 has again length ≤ 2 and containsonly atoms that were contained in the resolved clauses. Since the number of clausesof length ≤ 2 that can be formed from n atoms is (2n)2, this means that startingwith a CNF whose clauses have length ≤ 2 resolution will fail to produce new clauses(and hence terminate) after a quadratic number of resolution steps. Since the cost ofone resolution step (finding the resolvents and performing the resolution) is boundedby the size of the given CNF, this results in a cubic run time.


6.10 Exercise (Linear resolution for Horn Clauses)

Show that the following modification of the resolution calculus, called linear resolu-tion, is sound and complete for the class of Horn formulas:

Derive a resolvent from two clauses only if one of them is a unit clause and dropthe other clause.

Conclude that satisfiability for Horn formulas is decidable in quadratic time.

Solution. Let H be a Horn formula. If H is unsatisfiable, then it must containeither the empty clause, or else a positive unit clause that can be resolved withanother clause. Otherwise, the assignment that assigns 1 to exactly those atomsthat appear as (positive) unit clauses in H satisfies H. Resolving a unit clause inH with another clause C in H results in a resolvent that subsumes C. Hence C canbe safely deleted. This means that each such resolution step reduces the size of theHorn formula. Therefore linear resolution must terminate after a linear number ofresolution steps resulting in a quadratic run time. After termination, the resultingHorn formula is, by the previous considerations, unsatisfiable if and only if it containsthe empty clause.

6.11 DPLL

The Davis Putnam Logemann Loveland (DPLL) proof system is another method toshow the unsatifiability of CNFs. It derives sequents of the form Γ ` F where Γ is aset of literals (the literals that are assumed to be true) and F is a CNF, viewed asa set of clauses (and a clause is viewed as a set of literals). The meaning of Γ ` Fis that Γ and F are incompatible, that is, if all literals in Γ are true, that F is false.The special case that Γ is empty means that F is unsatisfiable.

The DPLL proof system consists of five rules (recall that L is the opposite of theliteral L):

Γ, L ` F(Unit)

Γ ` F, {L}Γ, L ` F,C

(Red)Γ, L ` F, (C,L)

Γ, L ` F(Elim)

Γ, L ` F, (C,L)

(Conflict)Γ ` F, ∅

Γ, L ` F Γ, L ` F(Split)

Γ ` F


The rules are usually applied in a backwards fashion, that is, one moves from theconclusion of a rule to its premises.

The most interesting rules are (Unit), (Split) and (Conflict).

(Unit) is the Unit Propagation Rule which says that in order to satisfy a CNF thesingle literal in a unit clause must be true.

(Split) is the Splitting Rule that allows to select a literal l and consider both caseswhen l is true or false. This the most costly rule since it introduces a branching ofthe proof search resulting in a doubling of the search space. Therefore, this rule isapplied only if no other rule can be applied

(Conflict) means that the CNF contains an empty clauses and is therefore unsatisfi-able. Hence there is nothing further to do.

The rules (Red) and (Elim) are for are for simplification and elimination of clauses. Itcan be easily shown that DPLL is sound and complete and equivalent to Resolution.

6.12 SAT solvers and their applications

Resolution and DPLL and variants thereof are the dominant proof systems imple-mented in modern SAT solvers, that is, programs that decide whether a given CNFis unsatisfiable.

Today SAT solving can be found almost everywhere in computing, for example inelectronic design automation, formal verification of software and hardware, planningand scheduling.

6.13 Example (Pythagorean triples)

A spectacular application of SAT solving in mathematics has recently been obtainedby Oliver Kullmann (Swansea University), Marijn Heule (University of Texas atAustin) and Victor Marek (University of Kentucky). They solved the long-standingopen Pythagorean Triples Problem (”Solving and Verifying the Boolean PythagoreanTriples problem via Cube-and-Conquer”. arXiv:1605.00723):

A Pythagorean triple is a triple of positive integers a, b, c such that a2 + b2 = c2, forexample 3, 4, 5 (since 32 + 42 = 52).

The Pythagorean Triples Problem asks whether it is possible to colour each of thepositive integers 1, 2, ... either blue or red such that no Pythagorean triple a, b, c, areall the same color.

This problem was open for 30 years and was solved by Kullman, Heule and Mareknegatively by showing the impossibility of such a colouring.


In fact, they showed that for the numbers 1, 2, . . . , 7825 no colouring exists thatavoids uniformly coloured Pythagorean triples in that range, while for the numbers1, 2, . . . , 7824 such a colouring does exist.

The proof was found using a SAT solver which generated a proof that is is 200 ter-abytes large and said to be the largest proof ever (see http://www.nature.com/news/two-hundred-terabyte-maths-proof-is-largest-ever-1.19990).

The Pythagorean triples problem (for a given number, say 7825) can be coded into aCNF as follows. For each number a ∈ {1, . . . , 7825} one has a variable Ba meaningthat a is coloured blue (then ¬Ba means that a is coloured red).

For each Pythagorean triple a, b, c one writes down two clauses expressing that thenumbers a, b, c are not all the same color, that is, (at least) one of them must be blueand one must be red:

(Ba ∨Bb ∨Bc) ∧ (¬Ba ∨ ¬Bb ∨ ¬Bc)

The CNF consisting of the all these clauses expresses that no Pythagorean triple isuni-coloured. Its unsatisfiability means that such a colouring is impossible.

This formula is a 3-CNF with 7825 variables and 2∗9472 = 18944 clauses (since thereare 9472 Pythagorean triples below 7825).

Note that there are 27825 ≈ 102365 assignments for this formula. Therefore, the naivemethod of checking all assignments is completely beyond reach (the number of atomsin the universe is in the area of 1080).

6.14 Exercise

Write down the CNF representing the Pythagorean triples problem for {1, . . . , 10}.

6.15 Exercise

Transform the negation of Peirce’s formula, ¬(((A→ B)→ A)→ A) into an equiva-lent CNF and show its unsatisfiability by a resolution derivation of the empty clause.


7 Predicate logic

In propositional logic we can only talk about the truth and falsity of propositions. Ifwe want to talk about objects and their relationships, or quantify objects by saying“for every object” or “there exists an object”, we need a more expressive logic calledpredicate logic also known as first-order predicate logic or first-order logic.

For example, the statement

“every positive number has a positive square root”

can be written in more detail (but still informally)

“for every number x, if 0 < x, then there exists y such that 0 < y and x = y ∗ y”

As a formula in predicate logic this reads

∀x (0 < x→ ∃y (0 < y ∧ x = y ∗ y))

The subformulas 0 < x, 0 < y, and x = y ∗ y are called atomic formulas. The infixnotation is syntactic sugar for <(0, x), <(0, y), and x = ∗(y, y). < is a predicatesymbol (denoting the less-than relation), 0 is a constant, and ∗ is a function symbol(denoting multiplication). x and y are variables.

7.1 Examples and exercises

Before studying the precise syntax, semantics and proof calculus for predicate logicwe discuss, informally, some simple examples in order to familiarise ourselves withthe new concepts.

7.1.1 Exercise

Formalise the following statements in predicate logic

u : If the train is late and there is no taxi at the station, then I’m late for the meetingv : The train is latew : I’m not late for the meeting

using the atomic formulas

TL The train is late.TS(x) Taxi x is at the stationLM I’m late for the meeting


Prove the statement “There is a taxi at the station” from the assumptions u, v, w.

Discuss whether the use of predicate logic was necessary in this example.

Solution.

u : TL ∧ ¬∃xTS(x)→ LMv : TLw : ¬LM

Informal proof: We have to show ∃xTS(x). We do a proof by contradiction. Weassume

p : ¬∃xTS(x),

aiming for a contradiction. By the assumptions u, v and p we get LM . But thiscontradicts the assumption w.

We can formalise this proof using only the proof rules of propositional logic.

w : ¬LMu : TL ∧ ¬∃xTS(x)→ LM

v : TL p : ¬∃xTS(x)∧+

TL ∧ ¬∃xTS(x)→−LM →−⊥ →+, p : ¬∃xTS(x)

¬¬∃xTS(x)raa

∃xTS(x)

This means that the use of predicate logic was not necessary: We could have encap-sulated the predicate logic formula ∃xTS(x) by treating it as an atomic propositionignoring its internal structure since it is not relevant for the proof.

7.1.2 Exercise

Formalise the statements

u : All people living in Snowdonia speak Welshv : John doesn’t speak Welsh

using the atomic formulas

S(x) Person x lives in Snowdonia.W (x) Person x speaks Welsh.

Prove the statement “John doesn’t live in Snowdonia” from the assumptions u, v.


Try to isolate a new proof rule that was necessary to complete the proof.

Solution.

u : ∀x (S(x)→ W (x))v : ¬W (John)

We have to prove ¬S(John) from the assumptions u and v. To this end we assume

w : S(John),

aiming for a contradiction. Specializing the assumption u to x = John, we obtain

S(John)→ W (John).

Using the assumption w : S(John) we conclude W (John). But this contradicts theassumption v : ¬W (John).

In order to give a fully formal proof we introduce a new proof rule, called “for allelimination” (∀−), that allows to specialize a given universally quantified statement.

∀xA(x)∀−

A(t)

Here t is a term, that is, a formal representation of an object. In our case t is theconstant John.

v : ¬W (John)

u : ∀x (S(x)→ W (x))∀−

S(John)→ W (John) w : S(John)→−

v : W (John)→−⊥ →+, w : S(John)

¬S(John)


7.1.3 Exercise

Formalise the statement

Every female who has the same father as me, is a sister of mine.

in two different ways:

(a) using a relation for father-ship,

(b) using a function symbol for denoting the father of a person.

Solution.

(a) ∀x (Female(x) ∧ ∃y (Father(y, x) ∧ Father(y,me))→ Sister(x,me)

(b) ∀x (Female(x) ∧ father(x) = father(me)→ Sister(x,me)

7.1.4 Exercise

Formalise the following statements:

(a) An American astronaut is well trained.

(b) An American astronaut has landed on the moon.

(c) Nobody danced.

The solution is left as an exercise in the lecture.

7.2 Syntax of predicate logic

As illustrated by the previous examples, predicate logic deals not only with proposi-tions, but also with objects and relations between objects. The syntactic entities todenote objects are called terms the syntactic entities to denote relations are calledpredicates. Terms are built from variables and function symbols. Each function sym-bol has an arity which specifies what sort of arguments it accepts and what sort ofresults it produces. Similarly, each predicate symbol has an arity which specifyingwhat sort of arguments it accepts.


7.2.1 Definition (Signature)

A many-sorted signature (signature for short), is a triple Σ = (S,F ,P) suchthat the following conditions are satisfied.

• S is a nonempty set. The elements s ∈ S are called sorts.

• F is a set whose elements are called function symbols, and which are of theform

f : s1 × . . .× sn → s,

where n ≥ 0 and s1, . . . , sn, s ∈ S.

s1 × . . . × sn → s is called arity of f , with argument sorts s1, . . . , sn andtarget sort s.

Function symbols are also called operations or functions.

A function symbol of the form c : → s (i.e. n = 0) is called a constant of sorts. For constants we often use the shorter notation c : s (i.e. we omit the arrow).

• P is a set whose elements are called predicate symbols, and which are of theform

P : (s1 × . . .× sn),

where n ≥ 0 and s1, . . . , sn ∈ S.

(s1 × . . .× sn) is called arity of P , with argument sorts s1, . . . , sn.

Predicate symbols are also called predicates.

Note that atomic propositions can be viewed as predicate symbols of zero ar-guments. In this sense, propositional logic can be viewed as a part of predicatelogic.

A sort s is to regarded as a name of a set, so it is similar to a type in programming. Afunction symbol f : s1× . . .× sn → s is a name for a function on the sets denoted bythe sorts s1, . . . , sn, s. This will be made more precise when we discuss the semanticsof predicate logic.

In logicians jargon a signature is also called a many-sorted first-order language andby the “arity” of a function or predicate symbol one also means just the number ofarguments it takes. If the arity is 1, 2, or 3, one speaks of unary, binary, or ternaryfunction or predicate symbols.


7.2.2 Example

Consider the signature Σ := (S,F ,P), where

S = {nat}F = {0: nat,+: nat× nat→ nat}P = {< : (nat× nat),≤ : (nat× nat)}

The function symbols of a signature Σ can be used to build formal expressions, calledterms, which denote elements of a given structure interpreting the signature Σ (thenotion of a structure will be made precise later).

7.2.3 Definition (Term)

Let Σ = (S,F ,P) be a signature, and let X = (Xs)s∈S be a family of pairwise disjointsets. The elements of Xs are called variables of sort s. We define terms and theirsorts by the following rules.

(i) Every variable x ∈ Xs is a term of sort s.

(ii) Every constant c in Σ of sort s is a term of sort s.

(iii) If f : s1 × . . .× sn → s is a function symbol in Σ, and t1, . . . , tn are (previouslydefined) terms of sorts s1, . . . , sn, respectively, then the formal expression

f(t1, . . . , tn)

is a term of sort s.

The set of all terms of sort s is denoted by T(Σ, X)s.

A term is closed if it doesn’t contain variables, i.e. is built without the use of rule(i).

The set of all closed terms of sort s is denoted by T(Σ)s. Clearly T(Σ)s = T(Σ, ∅)s.

7.2.4 Example

For the signature Σ of example 7.4.3 and the set of variables X := {x, y} the followingare examples of terms in T(Σ, X):

x


0

0 + y (which stands for +(0, y))

(0 + x) + y (which stands for +(+(0, x), y))

((0 + 0) + (x+ x) (which stands for +(+(0, 0),+(x, x))

0 + (0 + (0 + 0)) (which stands for +(0,+(0,+(0, 0)))

The second and the last of these terms are closed.

In a similar way as terms are syntactic constructs denoting objects, formulas aresyntactic construct to denote propositions.

7.2.5 Definition (Formula)

The set of formulas over a signature Σ = (S,F ,P) and a set of variablesX = (Xs)s∈Sis defined inductively by the following rules.

(i) > and ⊥ are formulas.

(ii) t1 = t2 is a formula, called equation, for each pair of terms t1, t2 ∈ T(Σ, X) ofthe same sort.

(iii) If P : (s1× . . .× sn) is a predicate symbol in P and t1, . . . , tn are terms of sortss1, . . . , sn, the P (t1, . . . , tn) is a formula.

(iv) If A and B are formulas then (A ∧B), (A ∨B) and (A→ B) are formulas.

(v) If A is a formula then (∀xA) and (∃xA) are formulas for every variable x ∈ X,called universal quantification (‘for all’) and existential quantification(‘exists’), respectively.

Formulas over a signature Σ are also called Σ-formulas

A free occurrence of a variable x in a formula A is an occurrence of x in A whichis not in the scope of a quantifier ∀x or ∃x. We let FV(A) denote the set of freevariables of A, i.e. the set of variables with a free occurrence in A. A formula A isclosed if FV(A) = ∅.We set

L(Σ, X) := {A | A is a Σ-formula ,FV(A) ⊆ X}and use the abbreviation

L(Σ) := L(Σ, ∅),i.e. L(Σ) is the set of closed Σ-formulas.


7.2.6 Remarks and Notations

1. Formulas as defined above are usually called first-order formulas, since weallow quantification over object variables only. If we would also quantify overset variables we would obtain second-order formulas.

2. A formula is quantifier free, qf for short, if it doesn’t contain quantifiers.

3. A formula is universal if it is of the form ∀x1 . . . ∀xnA where A is quantifierfree.

4. The basic formulas are⊥, equations t1 = t2 and formulas of the form P (t1, . . . , tn).for the latter we often write more briefly P (~t).

7.2.7 Abbreviations

As in the case of propositional logic we omit brackets as long as this does not lead toambiguities. We let the quantifiers bind stronger than the logical connectives, hence∀xA→ B stands for (∀xA)→ B. Furthermore, we use the following abbreviations:

Formula Abbreviation

A→ ⊥ ¬A (negation)

∀x1∀x2 . . . ∀xnA ∀x1, x2, . . . , xnA

∃x1∃x2 . . . ∃xnA ∃x1, x2, . . . , xnA

∀x1, . . . , xnA, where {x1, . . . , xn} = FV(A) ∀A (closure of A)

(A→ B) ∧ (B → A) A↔ B (equivalence)

7.2.8 Examples

A :≡ x = 0→ y + x = y

B :≡ ∃y (x = y → ∀z x = z)

C :≡ ∀x (0 ≤ x)

A is quantifier free. C is universal. A and C are universal. FV(A) = {x, y}, FV(B) ={x}.


7.2.9 Definition (Substitution)

By A[x := t] we denote the result of substituting in the formula A every free occur-rence of the variable x by the term t, possibly renaming bound variables in A in orderto avoid variable clashes.

For example,

(∀x (0 < x→ y < x+ y) ∧ ∀y (¬y < 0))[y := x+ 1]

= ∀z (0 < z → x+ 1 < z + (x+ 1)) ∧ ∀y (¬y < 0)

Note that we renamed the bound variable x by the fresh variable z. For z to be“fresh” means that z occurs neither free in the formula nor does it occur in the termt := x + 1. Note also that the occurrence of y in the subformula ¬y < 0 is notsubstituted because it is bound by ∀y .

7.3 Formalising statements in predicate logic

We now look at further examples of informal statements and their formalisations inpredicate logic. Since we haven’t yet introduced the precise semantics of predicatelogic (this will be done in Sect. 7.4) we have to rely on an intuitive understanding ofthe meaning of formulas.

7.3.1 Example (Students)

Formalise the following statements in predicate logic:

(a) All students submitted Coursework 1 or Coursework 2.

(b) All students who submitted Coursework 2 also submitted Coursework 1.

(c) Not all students attended all lectures.

(d) No student skipped all lectures.

(e) No two students attended exactly the same lectures.

Use the following signature, i.e. variables, constants function symbols and predicates,in your formalisation:


x, y students

l lectures

CW1(x) student x submitted Coursework 1

CW2(x) student x submitted Coursework 2

A(x, l) student x attended lecture l

Solution.

(a) ∀x (CW1(x) ∨ CW2(x))

(b) ∀x (CW2(x)→ CW1(x))

The remaining questions are left as an exercise for the lecture.

(c)

(d)

(e)

7.3.2 Example (Maths)

Formalise the following statements in predicate logic:

(a) The equation x2 + 1 = 0 has no solution.

(b) Exactly the non-negative numbers have a square root.

(c)√

2 is irrational.

(d) A square root of an integer is either an integer or irrational.

Use the following signature:

x, y, z real numbers

0, 1 constants 0 and 1

+, ∗ addition and multiplications (used infix)

Q(x) x is a rational number

Z(x) x is an integer

x ≤ y x is less or equal y (used infix)


You may use abbreviation, for example 2 := 1 + 1, x2 := x ∗ x, etc.

Solution.

(a) ¬∃x(x2 + 1 = 0)

(b) ∀x (∃y(y2 = x)↔ 0 ≤ x)


(c)

(d)

7.3.3 Example (Processes)

Consider a system of processes and two binary relations R and S on on processes.

If R(x, y) holds, we say x reduces y, or y is a reduct of x.

If S(x, y) holds, we say y simulates x.

The relation R is called

- deterministic if every process can be reduced in at most one way;

- confluent if whenever x reduces to y and z, then y and z have a common reduct;

- deadlock free if every process can be reduced;

- normalising if every process reduces to a process that cannot be reduced further.

The relation S is called a bisimulation for R if whenever y simulates x, then allreducts of x are simulated by some reduct of y and all reducts of y simulate somereduct of x.

(a) Formalise each of the properties of R described informally above.

(b) Formalise the property that S is a bisimulation for R.

Solution.

(a) - deterministic: ∀x∀y ∀z (R(x, y) ∧R(x, z)→ y = z).



- confluent :

- deadlock free:

- normalising :

(b)

7.4 Semantics of predicate logic

In order to determine the truth value of a formula F in propositional logic it wassufficient to have an assignment α prescribing to every atomic proposition A a truthvalue α(A) ∈ {0, 1}. For predicate logic we need in addition a universe, that is a setof objects, and assignments must prescribe meanings to

constants as elements of the universefunction symbols as functions on the universepredicate symbols as boolean valued functions on the universe

7.4.1 Definition (Structure)

A structureM = ((Ms)s∈S, α) for a signature Σ = (S,F ,P) is given by the follow-ing:

• For each sort s in S a nonempty set Ms, called the carrier set of sort s.

• An assignment α that assigns

– to each constant c : s in F an element α(c) ∈Ms,

– to each function symbol f : s1 × . . .× sn → s in F a function

α(f) : Ms1 × . . .×Msn →Ms

– For each predicate symbol P : (s1×. . .×sn) in P a boolean valued function(also called predicate or relation)

α(P ) : Ms1 × . . .×Msn → {0, 1}


7.4.2 Remarks

1. In the definition of a signature (7.2.1) the expression f : s1× . . .× sn → s is meantsymbolically, i.e. ‘×’ and ‘→’ are to be read as uninterpreted symbols. In the definitionof a structure (7.4.1), however, we used the familiar mathematical notation for set-theoretic functions to communicate by α(f) : Ms1 × . . . ×Msn →Ms a semanticalobject, namely a function α(f) whose domain is the cartesian product of the setsMsi

and whose range is Ms.

2. It is common to call the elements α(c) constants. Hence the word ‘constant’ has adouble meaning. Conversely, the function symbols of a signature are often just called’functions’. Whenever we use such slightly ambiguous names it will be clear from thecontext what is meant.

3. We will often identify the semantics of a predicate symbol, α(P ) : Ms1 × . . . ×Msn → {0, 1}, with the set {~a | ~a ∈ Ms1 × . . .×Msn , α(P )(~a) = 1} ⊆ Ms1 × . . .×Msn .

4. By a Σ-structure we mean a structure for the signature Σ.

5. Signatures with more than one sort are sometimes called many-sorted signaturesand structures without predicate symbols are sometimes called algebras. This is thecase for example in the book

[10] J V Tucker, Theory of Programming Languages, Course Notes, UWS, 2005.

7.4.3 Example

Consider the signature Σ := (S,F ,P), where

S = {nat}F = {0: nat,+: nat× nat→ nat

P = ≤ : (nat× nat)}

We follow [10] and display signatures in a box:

Signature Σ

Sorts nat

Constants 0: nat

Functions +: nat× nat→ nat

Predicates ≤ : (nat× nat)


The Σ-structure M of natural numbers with 0, and addition and the predicate ≤ isgiven by:

the carrier set N = {0, 1, 2, . . .}, that is,

Mnat = N;

the constants 0, that is,

α(0) = 0;

the operation of addition on N, that is,

α(+)(n,m) = n+m;

the relation < ⊆ N×N, that is

α(≤) = {(n,m) ∈ N×N | n ≤ m} (that is, α(≤)(n,m) = 1 iff n ≤ m).

Again we use the more readable box notation [10]

Structure MCarriers N

Constants 0

Functions +: N×N→ N

Predicates ≤ ⊆ N×N

For the signature Σ we may also consider another structure, M′ = (M′nat, α

′) withcarrier M′

nat = N+ := N \ {0} (= {1, 2, 3, 4, . . .}), the constant 1, multiplicationrestricted to N+, and the divisibility relation · | ·. Hence we have

the carrier set N+ = {1, 2, . . .}, that is,

M′nat = N+;

the constants 1, that is,

α′(0) = 1;

the operation of multiplication on N+, that is,

α′(∗)(n,m) = n ∗m;

the relation · | · ⊆ N×N, that is


α′(≤) = {(n,m) ∈ N+ ×N+ | n divides m}.

Written in box notation:

Structure M′

Carriers N+

Constants 1

Functions ∗ : N+ ×N+ → N+

Predicates ·|· ⊆ N+ ×N+

7.4.4 Remarks

1. The display of signatures and structures via boxes has to be handled with somecare. If, for example, in the box displaying the signature Σ in example 7.4.3 we wouldhave exchanged the order of the sorts nat and boole, we would have defined the samesignature. But then the box displaying the structure M would not be well-defined,since then the sort boole would be associated with the set N and nat with B, andconsequently the arities of the operations of Σ would not fit with the operations ofthe structure M.

Therefore: When displaying signatures and structures in boxes order matters.

7.4.5 Definition (Semantics of terms)

Let M = ((Ms)s∈S, α) be a structure for the signature Σ = (S,F ,P), and let X =(Xs)s∈S a set of variables.

A variable assignment η : X →M is a function assigning to every variable x ∈ Xs

an element η(x) ∈Ms.

Given a variable assignment η : X → M we define for each term t ∈ T(Σ, X)s itsvalue

tM,η ∈Ms

by the following rules.

(i) xM,η := η(x).

(ii) cM,η := α(c).

(iii) f(t1, . . . , tn)M,η := α(f)(tM,η1 , . . . , tM,η

n ).

For closed terms t, i.e. t ∈ T(Σ) (= T(Σ, ∅)) the variable assignment η and rule (i)are obsolete and we write tM instead of tM,η.


7.4.6 Exercise

Let Σ be the signature of example 7.4.3 andM the Σ-structure of the natural numberswith zero, addition and the ‘less-or-equal’ relation. Write down Σ-formulas expressingin M the following statements.

(a) x is an even number.

(b) x is greater than y.

(c) x is the average of y and z.

In order to precisely declare the semantics of a formula we define what it means fora formula to be true in a structure.

7.4.7 Definition (Semantics of logical connectives and quantifiers)

In order to define the semantics of formulas we need the semantics of the logicalconnectives and quantifiers. The semantics of the logical connectives (∧,∨,→) wasdefined in Section 2.5 by the boolean functions

∧,∨,→: {0, 1}2 → {0, 1}

It remains to define∃,∀ : P+({0, 1})→ {0, 1}

where P+({0, 1}) is the set of all non-empty subsets of {0,1}, i.e. P+({0, 1}) ={{0}, {0, 1}, {1}}. We define for every X ∈ P+({0, 1})

∃(X) :=

{1 if 1 ∈ X0 otherwise

∀(X) :=

{1 if 0 6∈ X0 otherwise

Hence,

∃(X) = 1 if and only if there exists x ∈ X such that x = 1∀(X) = 1 if and only if for all x ∈ X, x = 1

As truth tables this reads

X ∃(X){0} 0{0, 1} 1{1} 1

X ∀(X){0} 0{0, 1} 0{1} 1


7.4.8 Definition (Semantics of formulas)

Let Σ = (S,F ,P) be a signature, X = (Xs)s∈S a set of variables, M = ((Ms)s∈S, α)a Σ-structure, η : X →M a variable assignment, and A ∈ L(Σ, X) a Σ-formula.

For every formula A of predicate logic we define the value

[[A]](M, η) ∈ {0, 1}

[[>]](M, η) = 1

[[⊥]](M, η) = 0

[[t1 = t2]](M, η) =

{1 if tM,η

1 = tM,η2

0 otherwise

[[P (t1, . . . , tn)]](M, η) = α(P )(tM,η1 , . . . , tM,η

1 )

[[A �B]](M, η) = �([[A]](M, η), [[B]](M, η)) for � ∈ {∧,∨,→}[[QxA]](M, η) = Q({[[A]](M, η[x := a]) | a ∈Ms}) for Q ∈ {∀,∃}

where in the last case the variable x is assumed to be of sort s. We also define

M, η |= A :⇔ [[A]](M, η) = 1

which is to be read ‘A is true in M under η’, or ‘M, η is a model of A’.

The following Lemma is an immediate consequence of the definition above. In manytextbooks the clauses of the Lemma are used to define the semantics of formulas.

7.4.9 Lemma (Semantics of formulas)

(i) M, η |= >.

(ii) M, η 6|= ⊥, i.e. M, η |= ⊥ does not hold.

(iii) M, η |= t1 = t2 iff tM,η1 = tM,η

2 .

(iv) M, η |= P (t1, . . . , tn) iff α(P )(tM,η1 , . . . , tM,η

n ) = 1.

(v) M, η |= A ∧B iff M, η |= A and M, η |= B.

M, η |= A ∨B iff M, η |= A or M, η |= B.

M, η |= A→ B iff M, η |= A implies M, η |= B

(i.e. M, η 6|= A or M, η |= B).

(vi) M, η |= ∀xA iff M, η[x := a] |= A for all a ∈Ms

(provided x is of sort s).

M, η |= ∃xA iff M, η[x := a] |= A for at least one a ∈Ms

(provided x is of sort s).


For closed Σ-formulas A the variable assignment is obviously redundant and we write

M |= A

for M, η |= A. For a set Γ of closed Σ-formulas we say that the Σ-structure M is amodel of Γ, written

M |= Γ,

if M |= A for all A ∈ Γ.

We can now extend the notions ’logical consequence’, ’logical validity’, and ’satisfia-bility’, which we know from propositional logic, to predicate logic.

7.4.10 Definition (Logical consequence)

Let Γ be a set of closed formulas and A a closed formula. We say that A is a logicalconsequence of Γ, or Γ logically impliesM, written

Γ |= A,

if A is true in all models of Γ, that is,

M |= Γ implies M |= A, for all Σ-structures M

7.4.11 Definition (Logical validity)

A closed Σ-formula A is said to be (logically) valid, written

|= A,

if A is true in all Σ-structures, that isM |= A for all Σ-structuresM. Valid formulasis also called a tautologies.

Obviously, A is valid if and only if it is a logical consequence of the empty set offormulas.

7.4.12 Definition (Satisfiability)

A set of closed Σ-formulas Γ is called satisfiable if it has a model, that is, thereexists a Σ-structure M in which all formulas of Γ are true (M |= Γ).


7.4.13 Exercise

Show that validity and satisfiability are related by the following equivalences:

A valid ⇔ {¬A} unsatisfiable (that is, not satisfiable)

A satisfiable ⇔ {¬A} not valid

7.4.14 Definition (equivalence)

We call two Σ-formulas A,B equivalent, written A ≡ B, if they always have thesame truth value, that is, for every Σ-structure M and every variable assignmentη : X →M

[[A]](M, η) = [[B]](M, η)

This is the same as saying that for every Σ-structure M

M |= A if and only if M |= B

and also to saying that the formula A↔ B is logically valid.

Clearly, ’A ≡ B’ is an equivalence relation, that is, the following laws hold.

Reflexivity : A ≡ A for every formula A.

Symmetry : If A ≡ B then B ≡ A.

Transitivity : If A ≡ B and B ≡ C then A ≡ C.

Here is a list of useful equivalences (recall that ¬A stands for A→ ⊥):

∃xA(x) ≡ ¬∀x¬A(x)

∀xA(x) ≡ ¬∃x¬A(x)

¬∃xA(x) ≡ ∀x¬A(x)

¬∀xA(x) ≡ ∃x¬A(x)

The first two equivalences state that each of the quantifiers can be expressed by theother. The third and the fourth equivalence state that negation can be “pushedinside”.


7.4.15 Exercise (Negation normal form)

The statement

Just because nobody complains doesn’t mean all parachutes are perfect

can be formalized as

¬(¬∃x complain(x)→ ∀p (parachute(p)→ perfect(p)))

Transform this formula into an equivalent one where negation is only applied toatomic formulas (such formulas are called in negation normal form).

Solution.

¬(¬∃x complain(x)→ ∀p (parachute(p)→ perfect(p)))

≡ ¬∃x complain(x) ∧ ¬∀p (parachute(p)→ perfect(p))

≡ ∀x¬complain(x) ∧ ∃p¬(parachute(p)→ perfect(p))

≡ ∀x¬complain(x) ∧ ∃p (parachute(p) ∧ ¬ perfect(p))

7.5 The Theorems of Church and Loewenheim-Skolem

We discuss two fundamental results regarding the decidability of truth and the sizeof models in predicate logic.

7.5.1 Theorem (A Church, 1935 and A Turing, 1936)

It is undecidable whether or not a closed formula in predicate logic is valid.

This theorem can be proven by reducing the halting problem to the validity problem(i.e. coding Turing machines into logic).

Another proof is by showing that Post’s correspondence problem, which is known tobe undecidable, can be encoded by predicate logic.

Although, by the Church-Turing Theorem, the validity problem is undecidable, thereis an effective procedure generating all valid formulas (technically: the set of validformulas is recursively enumerable). We will study such a generation process in thenext chapter.

Recall that for propositional logic the situation is different: logical validity for for-mulas in propositional logic is decidable. More precisely, the set of logically valid


propositional formulas is co-NP complete, since its complement is the set of propo-sitional formulas A for which ¬A is satisfiable, which is NP complete.

Another fundamental result which concerns satisfiability is the

7.5.2 Loewenheim-Skolem Theorem

Every countable satisfiable set of closed formulas has a countable model.

A surprising consequence of the Loewenheim-Skolem Theorem is the fact there is acountable structure that satisfies the same predicate logic formulas as the (uncount-able!) structure of real numbers.

7.5.3 Examples

Consider a signature with the sorts nat and boole and the operation <: nat× nat→boole. Then the formula

∃x∀y (x < y)→ ∀y ∃x (x < y)

is a tautology. The formula

∀x, y (x < y → ∃z (x < z ∧ z < y))

is satisfiable, but not a tautology (why?). Set

Γ := {∀x¬(x < x), ∀x.y.z (x < y ∧ y < z → x < z)}

Then the formula

A :≡ ∀x, y (x < y → ¬y < x)

is a logical consequence of Γ, that is, Γ |= A.



∀ Γ ` A(x)∀+

Γ ` ∀xA(x)(*)

Γ ` ∀xA(x)∀−

Γ ` A(t)

∃ Γ ` A(t)∃+

Γ ` ∃xA(x)

Γ ` ∃xA(x) Γ ` ∀x (A(x)→ B)∃−

Γ ` B(**)

Figure 3: The rules of natural deduction for quantifiers (sequent notation)

7.6 Natural deduction proofs for predicate logic

In addition to the rules for propositional logic, the Natural Deduction calculus hasintroduction and elimination rules for the quantifiers:

(*) The ∀+ rule is subject to the so-called variable condition: x must not occur freein Γ.

(**) The ∃− rule is subject to the restriction that x must not be free in B.

Figure 4 shows the rules for quantifiers in the short notation where the assumptionsΓ are implicit.


∀ A(x)∀+∀xA(x)

(*)∀xA(x)

∀−A(t)

∃ A(t)∃+∃xA(x)

∃xA(x) ∀x (A(x)→ B)∃−

B(**)

Figure 4: The rules of natural deduction for quantifiers (short notation)

With the short notation the variable condition for ∀+ reads:


(*) x must not occur free in in any free assumption valid at that point.

7.6.1 Examples

1. In the following derivation of ∀y A(y + 1) from ∀xA(x) we use the for-all intro-duction rule, ∀+, and the for-all elimination rule, ∀−:

∀xA(x)∀−

A(x+ 1)∀+∀xA(x+ 1)

In the application of ∀+ the variable condition is satisfied, because x is not free in∀xA(x).

2. Find out what’s wrong with the following ‘derivations’.

∀y(x < 1 + y)∀−x < 1 + 0∀+∀x(x < 1 + 0)

∀x(∀y(x < y + 1)→ x = 0)∀−∀y(y < y + 1)→ y = 0 ∀y(y < y + 1)

→−y = 0

∀+∀y(y = 0)

3. The exists introduction rule, ∃+, and the exists elimination rule, ∃− are used inthe following derivation.


u : ∀x (x− 1) + 1 = x∀−

(x− 1) + 1 = x∃+∃y(y + 1 = x)∀+∀x ∃y(y + 1 = x)

→+u∀x ((x− 1) + 1 = x)→ ∀x∃y(y + 1 = x)

4. Let us derive from the assumptions ∃xA(x) and ∀x(A(x)→ B(f(x))) the formula∃y B(y):

∃xA(x)

∀x(A(x)→ B(f(x)))∀−

A(x)→ B(f(x)) u : A(x)→−

A(f(x))∃+∃y B(y)

→+uA(x)→ ∃y B(y)

∀+∀x (A(x)→ ∃y B(y))∃−∃y B(y)

We see that in the application of ∀+ the variable condition is satisfied, because x isnot free in ∃y B(y).

7.6.2 Equality rules

So far we only considered the Natural Deduction rules for logic without equality. Hereare the rules for equality:


Reflexivity reflt = t

Symmetrys = t symt = s

Transitivity r = s s = ttrans

r = t

Compatibilitys1 = t1 . . . sn = tn compf(s1, . . . , sn) = f(t1, . . . , tn)

for every operation f of n arguments

s1 = t1 . . . sn = tn P (s1, . . . , sn)comp

P (t1, . . . , tn)

for every predicate P of n arguments

7.6.3 Example

Let us derive from the assumptions ∀x, y (x + y = y + x) and ∀x (x + 0 = x) theformula ∀x, y ((0 + x) ∗ y = x ∗ y):

∀x ∀y (x+ y = y + x)∀−∀y (0 + y = y + 0)∀−0 + x = x+ 0

∀x (x+ 0 = x)∀−x+ 0 = x

trans0 + x = x refly = y

comp(0 + x) ∗ y = x ∗ y

∀+∀y ((0 + x) ∗ y = x ∗ y)∀+∀x ∀y ((0 + x) ∗ y = x ∗ y)


7.6.4 Definition (Classical, intuitionistic, minimal logic)

The notions of minimal, intuitionistic and classical derivability for predicate logiccompletely analogous to the propositional case (Definition 5.6), but for formulas inpredicate logic and for derivations composed from propositional rules and the newrules for quantifiers and equality:

Let Γ be a (possibly infinite) set of formulas and A a formula, all in predicate logic.

Γ `c A : ⇔ Γ0 ` A is derivable for some finite subset Γ0 of Γ.

(A is derivable from Γ in classical logic)

Γ `i A : ⇔ Γ `c A with a derivation not using the rule reductio-ad-absurdum.

(A is derivable from Γ in intuitionistic logic)

Γ `m A : ⇔ Γ `c A with a derivation using neither the rule reductio-ad-absurdum nor the rule ex-falso-quodlibet.

(A is derivable from Γ in minimal logic)

7.6.5 Lemma

Let t(x) be a term possibly containing the variable x, and let r, s be terms of thesame sort as x. Then

r = s `m t(r) = t(s)

Proof. Induction on t(x).

If t(x) is a constant or a variable different from x, then t(r) and t(r) are the sameterm t. Hence the assertion is r = s `m t = t which is an instance of the reflexivityrule.

If t(x) is the variable x then t(r) is r and t(s) is s, and the assertion becomes r =s `m r = s which is an instance of the assumption rule.

Finally, consider t(x) of the form f(t1(x), . . . , tn(x)). By induction hypothesis we mayassume that we already have a derivation of r = s `m ti(r) = ti(s) for i = 1, . . . , n.One application of the compatibility rule yields the required sequent.


7.6.6 Lemma

Let A(x) be a formula possibly containing the variable x, and let r, s be terms of thesame sort as x. Then:

r = s `m A(r)↔ A(s)

Proof. Induction on the formula A(x).

If A(x) is an equation, say, t1(x) = t2(x), then we have to derive

r = s `m t1(r) = t2(r)↔ t1(s) = t2(s)

By Lemma 7.6.5 we have already derivations of

r = s `m t1(r) = t1(s) and r = s `m t2(r) = t2(s)

It is now easy to obtain the required derivation using the symmetry rule and thetransitivity rule. We leave this as an exercise to the reader.

If A(x) is a compound formula we can use the induction hypothesis in a straightfor-ward way.

7.7 Soundness and completeness

The soundness and completeness theorems for predicate logic are analogous to thepropositional case. However, now the notion of a model is much more complex. Whilein the propositional case a model was just a vector of Booleans (assigning truth valuesto atomic propositions), in the case of predicate logic a model is a first-order structurewhich is a rather complex object.

7.7.1 Soundness Theorem for predicate logic

If Γ `c A then Γ |= A.

Proof. The proof is easy and similar to the propositional case, but taking intoaccount the additional rules for quantifiers .

7.7.2 Completeness Theorem for predicate logic (K Godel, 1929)

If Γ |= A then Γ `c A.


In words: If A is a logical consequence of Γ (i.e. A is true in all models of Γ), thenthis can be formally derived by the inference rules of natural deduction for predicatelogic.

The proof of this theorem is completely different from the corresponding proof for thepropositional case and beyond the scope of this course. Detailed expositions can befound in any textbook on Mathematical Logic. The original proof is part of Godel’sdoctoral dissertation.

The notion of formal consistency is analogous to the propositional case:.

7.7.3 Definition (Formal consistency for predicate logic)

A (possibly infinite) set of formulas Γ is called formally consistent if Γ 6`c ⊥, thatis there is no (classical) derivation of ⊥ from assumptions in Γ.

In other words: A set of formulas Γ is formally consistent if and only if no contradic-tion can be derived from Γ.

7.7.4 Satisfiability Theorem for predicate logic

Every consistent set of formulas has a model.

Proof. As for the propositional case.

Another important consequence of Godel’s Completeness Theorem is the fact that alllogically valid formulas can be effectively enumerated.

7.7.5 Enumerability Theorem for predicate logic

The set of all logically valid formulas is recursively enumerable, that is, there is aneffective procedure producing all logically valid formulas.

Proof. By the Soundness and Completeness Theorem, the logically valid formulasare exactly the provable ones. Hence, it suffices to systematically generate all proofs.

By the Church-Turing Theorem (Theorem 7.5.1) we know that logically validity inpredicate logic is undecidable. Therefore, effective enumerability for logically validformulas in predicate logic is the best one can achieve.


7.8 Axioms and rules for natural numbers and other datatypes

For many common data types we can formulate axioms describing their characteristicfeatures. We will only treat the (unary) natural numbers. Similar axioms could bestated for binary number, lists, finite trees etc., more generally for freely generateddata types.

7.8.1 Peano Axioms

The following axioms and rules where introduced (in a slightly different form) byPeano to describe the structure of natural numbers with zero and the successor func-tion (we write t+ 1 for the successor of t).

G Peano (1858 - 1932)

In the following the terms s, t and the variable x are supposed to be of sort nat.

Peano 1 peano10 6= t+ 1

Peano 2 peano2s+ 1 = t+ 1→ s = t

InductionA(0) ∀x (A(x)→ A(x+ 1))

ind∀xA(x)


7.8.2 Remark

In applications there will be further axioms describing additional operations on thenatural numbers. Examples are, the equations defining addition and multiplicationby primitive recursion:

x+ 0 = x

x+ (y + 1) = (x+ y) + 1

x ∗ y = 0

x ∗ (y + 1) = x ∗ y + x

At least as famous as the Completeness Theorem for Predicate Logic is Godel’s (First)Incompleteness Theorem for the theory of natural numbers given by the Peano Ax-ioms (On Formally Undecidable Propositions of Principia Mathematica and RelatedSystems, Monatshefte fur Mathematik und Physik 38, 1931 ).

7.8.3 Incompleteness Theorem (K Godel, 1931)

Every consistent and effectively presented system of axioms and rules extending thePeano Axioms is incomplete, that is, there exists a formula A such that neither Anor its negation ¬A is provable.

In particular, there exists a true statement about natural numbers that is not prov-able.

Similar Incompleteness Theorems hold for lists and trees and other data types thatcan (in principle) be encoded by natural numbers.


8 Outlook: Other logics

In this concluding chapter we very briefly describe some other logics that are veryimportant in Computer Science. Many of these logics are extensions of propositionallogic or predicate logic. A good background reading for this chapter is the book [10].

8.1 Second-Order Logic

Predicate logic is sometimes called First-Order Logic (FOL) because one can quantifyonly over objects, which are called ’first-order’ (∀x, ∃x).

Second-Order Logic (SOL) allows in addition for quantification over predicates (orsets or properties). In order to express this, Second-Order Logic has so-called second-order variables X, Y, . . . ranging over predicates (in addition to the usual first-ordervariables x, y, . . .). Furthermore, one can build formulas of the form

∀X A(X), meaning that A(X) holds for all predicates X.

∃X A(X), meaning that A(X) holds for some predicate X.

Second-Order Logic (abbreviated SOL) can express many concepts that are importantin Computer Science, for example:

Finiteness There exist only finitely many x such that . . . (see the exercise below).

Reachability Node y is reachable from a node x (in a given graph or network)

Order completeness Every non-empty bounded set has a least-upper bound (in agiven ordered structure, for example the real numbers)

Being a natural number x is a natural number, where x ranges of real numbers(see the example below).

None of these concepts can be expressed in First-Order Logic. For example, in FOLone can say “there exist no more than two”, “there exist no more than three” etc.,but it is not possible to say “there exist only finitely many”.

Exercise. Use the Compactness Theorem (which holds for FOL) to show that it isimpossible to express “there exist only finitely many” in FOL.

More precisely, let Σ be a signature containing a unary predicate P . Show that thereis no Σ-formula A such that for all Σ-structures M,


A is true in M if and only if P (a) is true in M for finitely many a only.

Solution. Assume such a formula A exists. For n ∈ N let Bn be a formula expressingthat P (x) holds for at least n elements x:

Bn := ∃x1 . . . ∃xn(∧

1≤i,j≤n,i6=j

xi 6= xj ∧ P (x1) ∧ . . . ∧ P (xn))

(for example C3 = ∃x1∃x2∃x3 (x1 6= x2∧x1 6= x3∧x2 6= x3∧P (x1)∧P (x2)∧P (x3))).

Let Γ := {A,B1, B2, B3, . . .}. Clearly, every finite subset Γ0 of Γ is satisfiable: Justtake a Σ-structure where P is interpreted by a set with n elements where n is thelargest number such that Bn ∈ Γ0.

By the Compactness Theorem, Γ is satisfiable by some Σ-structure M. Because Msatisfies all B1, B2, B3, . . ., P (a) must hold by infinitely many elements of M. ButM also satisfies A (since A ∈ Γ). This contradicts the assumption that all models ofA interpret P as a finite set.

Example. Let x be a variable ranging over real numbers. The property N(x)expressing that x is a natural number can be defined in SOL as follows:

N(x) := ∀X (X(0) ∧ ∀y (X(y)→ X(y + 1)))→ X(x))

Moreover, with this definition the proof principle of induction over natural numbers

A(0) ∧ ∀x (A(x)→ A(x+ 1))→ ∀x (N(x)→ A(x))

can be logically proven (and must not be stated as an axiom).

On the other hand many of the good properties of First-Order Logic do not hold forSecond-Order Logic. For example, the Compactness Theorem, the Completeness andthe Loewenheim-Skolem Theorem all fail for Second-Order Logic.

8.2 Temporal Logic

Temporal logic has been introduced to reason about time dependent statements. Itwas first considered by the logician and philosopher Arthur Prior (1914-1969). To-day, temporal logic is used in computer science to describe and verify state dependentsystem. The main idea is that a formally is not statically true or false, like in Proposi-tional Logic or Predicate Logic, but its truth value may be dynamically change as thestate changes in time. Important publications are A. Pnueli. The Temporal Logic of


Programs. 18th annual IEEE-CS Symposium on Foundations of Computer Science,pages 46-77, 1977, and M. Ben-Ari, Z. Manna, A. Pnueli. The Temporal Logic ofBranching Time. ACM POPL’81, Acta Informatica vol 20, pages 207-226, 1983. Agood overview of the subject is given in E.A. Emerson. Temporal and modal logic.Handbook of Theoretical Computer Science, Chapter 16. MIT Press, 1995.

There are many different variants of temporal Logic which mainly differ in the modelof time. In Linear Temporal Logic (LTL) time is modelled as a sequence of states thatextends indefinitely into the future. Linear temporal Logic is an extension of propo-sitional logic. In addition to atomic propositions, ⊥,>, conjunction, disjunction,implication and negation there are

XA, meaning that A holds in the neXt state.

FA, meaning that A holds in some Future state.

GA, meaning that A holds Globally, that is, in all future states.

AUB A, meaning that A holds Until B holds, and B will hold eventually.

The symbols X,F,G,U,W are called temporal connectives.

A model of LTL is a sequence α = α1, α2, . . . where each αi is an assignment in thesense of propositional logic. For an atomic proposition A, αi(A) = 1 means that Aholds in state i. Usually one considers as models all paths through a given directedgraph whose nodes are labelled by propositional logic assignments. Such graphsdescribe the possible state transitions of a given computational system. The value ofan LTL formula A in a model α at state i, written [[A]]α, i is defined as follows:

[[A]](α, i) = αi(A) (for atomic propositions A)

[[>]](α, i) = 1

[[⊥]](α, i) = 0

[[¬A]](α, i) = ¬([[A]](α, i)

[[A �G]](α, i) = �([[A]](α, i), [[G]](α, i)) for � ∈ {∧,∨,→}[[XA]](α, i) = [[A]](α, i+ 1)

[[FA]](α, i) = 1 if [[A]](α, j) = 1 for some state j ≥ i,

0 otherwise

[[GA]](α, i) = 1 if [[A]](α, j) = 1 for all states j ≥ i,

0 otherwise

[[AUB]](α, i) = 1 if there is a state k ≥ i s.t. [[A]](α, j) = 1 for i ≤ j < k and [[B]](α, k) = 1,

0 otherwise

Models are often depicted in the form


1 2 3 4 5 6 7 8 . . .(A) → () → (B) → (A,B) → (B) → (A,B) → (B) → (A,B) → . . .

meaning that A holds exactly at the states 1, 4, 6, 8, . . . and B holds exactly at thestates 3, 4, 5, 6, 7, 8 . . ..

Exercise. Which of the following formulas hold at state 1 in the model shown above.

(a) A

(b) B

(c) XA

(d) X G (A→ B)

(e) G FA (this expresses that A will be true infinitely often)

(f) F GA (this expresses that from some point on A will be always true)

(g) F GB

(h) X ((¬A) UB)

The temporal operators F and G are also known as modalities and are sometimeswritten 3 and 2. Hence Temporal Logic is an example of Modal Logic (see thesection on Modal Logic).

8.3 Modal Logic

Modal Logics are used to reason about distributed, concurrent and multi-agent com-puting systems, but also to reason about knowledge and belief. In modal logic onehas, in addition to propositional formulas, the formulas

2A (A is necessarily true)

3A (A is possibly true)

The precise meaning of the modalities 3 and 2 depends on the application. Some(simplified) examples:


2A 3ATemporal logic A holds always in the future A holds sometime in the futureDeontic logic A must be done A may be doneEpistemic logic A is known A is believedProcess logic A holds in all accessible states A holds in some accessible state

The most common interpretation of modal logic is through Kripke models, introducedby the logician and philosopher Saul Kripke (born 1940).

A Kripke model is a triple (W,R, ) where:

W is a set of possible worlds.

R is an accessibility relation between worlds.

is a relation between worlds and formulas such that

w ¬A if and only if w 6 A,

w A ∧B if and only if w A and w A,

w A ∨B if and only if w A or w A

w 2A if and only if v A for all v ∈ W such that R(w, v),

w 3A if and only if v A for some v ∈ W such that R(w, v).

A modal formula A holds in a Kripke model (W,R, ) if w 3A holds for all w ∈ W .

A modal formula A is valid if it holds in all Kripke models.

Often one restricts the class of Kripke models to characterise variants of modal logic.For example, one may consider only those Kripke models where the accessibilityrelation is transitive or linear.

It is easy to see that the formulas

2A↔ ¬3¬A and 3A↔ ¬2¬A

are valid. Hence the each modality can be defined in terms of the other. One alsosays that the modalities are dual to each other (in the same way as the quantifiers∀x and ∃x are dual to each other).

Modal logic is particularly attractive for computer science since on the one hand itcan express many important properties of processes, but on the other hand validityis decidable (in contrast to predicate logic where validity is undecidable). Therefore,modal logic is used in many tools for automated program verification.

A good introduction into the history of modal logic is R. Goldblatt. MathematicalModal Logic: A view of its evolution. Handbook of the History of Logic, Vol 7, 2006.


8.4 Hoare Logic

Hoare logic is a proof calculus for verifying imperative programs introduced by TonyHoare in 1969 (An axiomatic basis for computer programming, Communications ofthe ACM 12 (10): 576580). It derives statements of the form

{P}S {Q}

called Hoare triples, where P and Q are formulas, and S is a command, that is, afragment of an imperative program. The formula P is called precondition and theformula Q is called postcondition.

The intuitive meaning of a Hoare triple {P}S {Q} is:

If P holds before the execution of S and the execution of S terminates, thenafter termination Q will hold.

An example of a valid Hoare triple is

{x < 3} x := 2 ∗ x+ 1 {x < 6}

an an invalid one is{x < 3} x := 2 ∗ x+ 1 {x > 4}

(assuming x is of natural number type).

Here are the core rules of Hoare logic:

{P} skip {P}

{P [E/x]}x := E {P}

{P}S {Q} {Q}T {R}{P}S;T {R}

{B ∧ P}S {Q} {¬B ∧ P}T {Q}{P} if B thenS elseT {R}

P1 → P2 {P2}S {Q2} Q2 → Q1

{P1}S {Q1}

{B ∧ P}S {P}{P}whileB doS {¬B ∧ P}


This interpretation of Hoare triples corresponds to partial correctness because validityof a triple does not guarantee that the program S terminates.

For total correctness one would require that the execution of S actually terminates.In this case Hoare triples are usually written with square brackets, [P ]S [Q], and theinterpretation is

If P holds before the execution of S, then the execution of S will terminate andafter termination Q will hold.

All rules above except for the while-rule are valid for total correctness. The whilerule has to be modified as follows:

[B ∧ P ∧ t = z] S [P ∧ t < z]

[P ] whileB doS [¬B ∧ P ]

Here t is an expression and z a variable of natural number type. The premise of therule guarantees that as long as B holds, each execution of S will decrease the value oft. Since this decrease can only happen a finite number of times, the execution of thewhile loop must terminate. The crucial mathematical property of the natural numbersused here is the fact that the ordering < on the natural numbers is wellfounded.This means that there is no infinite decreasing chain n1 > n2 > . . . such that allni are natural numbers. The total while-rule above is valid more generally for anywellfounded ordering.

8.5 Fuzzy Logic

Fuzzy Logic an example of a Many Valued Logic. The main idea is that instead ofonly the Boolean truth values 0 (“false”) and 1 (“true”), any real number between 0and 1 is a possible truth value of a formula. [[A]] = p can be read as “A is true withprobability p” or as “A is true to a degree p”. For example

[[Rain]] = 1 means “it will certainly rain”[[Rain]] = 0.1 means “there is a 10% chance of rain”

Another interpretation of [[A]] = p would be “A is true to a degree p”. For example

[[Hot]] = 1 means “it is very hot”[[Hot]] = 0.2 means “it is rather cold”


In fuzzy logic the truth tables for the logical connectives are replaced by mathematicalformulas, such as

¬x = 1− xx ∧ y = min(x, y)

x ∨ y = max(x, y)

Fuzzy logic has many applications in daily life and science. For example, train con-trol, recognition of handwriting, reduction of fuel consumption, reduction of energyconsumption in vacuum cleaners, reasoning with uncertainty, genetic algorithms, etc(see L. A. Zadeh, et al. 1996 Fuzzy Sets, Fuzzy Logic, Fuzzy Systems, World ScientificPress).

csc375/cscm75 logic for computer science

Documents